ae 
if 
. f ( 
j 


a 
al 
fr! 


‘ 
s 
i 


| a/ // 
ge 


U, || 7a LOE, 


Ly, [+ 
The Journal of Physical Security 
Volume 15(1), 2022 


(ISSN 2157-8443) or ry 7 7 / r ek pap 
Aigo Lek (SSS be 
LMige [/ MW, s) /, ‘I, Me e”/ 


pM op fxr 
Wily [ 


, i 
Ge 


s 
VO A, 
a 
iy hog foe , 


IN THIS ISSUE... 

Editors Comments, pages i-xi 

JT Jackson, “ZigBee Jamming”, pages 1-13 
JT Jackson, "ZigBee Deep Penetration", pages 14-20 

JT Jackson, "Parallel GPU Password Crack Times", pages 21-29 


B Kelly, "Body Worn Cameras and the Cloud: 
The Costs of Getting it Wrong", pages 30-47 


RG Johnston, "The FDA and DHS Blessings of Security 
Technologies: ...Security or Security Theater?", pages 48-52 


MA Silva, "Reducing Security Guard Turnover", pages 53-58 


RG Johnston, "In Risu Veritas", pages 59-66 


Table of Contents 
Journal of Physical Security, Volume 15(1), 2022 


Available at http://jps.rbsekurity.com 


Editor’s Comments, pages i-xi 

[T Jackson, "ZigBee Jamming", pages 1-13 

[T Jackson, "ZigBee Deep Penetration", pages 14-20 

[T Jackson, "Parallel GPU Password Crack Times", pages 21-29 

B Kelly, "Body Worn Cameras and the Cloud: The Costs of Getting it Wrong", pages 30-47 


RG Johnston, "The FDA and DHS Blessing of Security Technologies: Positive Contributions 
to Security or Security Theater?, pages 48-52 


MA Silva, "Reducing Security Guard Turnover", pages 53-58 


RG Johnston, "In Risu Veritas", pages 59-66 


Journal of Physical Security 15(1), i-xi (2022) 


Editor’s Comments 


Welcome to volume 15, issue 1 of the Journal of Physical Security (JPS). In addition to the 
usual editor’s rants and news about security that appear immediately below, this issue has 
papers about ZigBee vulnerabilities, practical password cracking, humor & security, the 
costs of police body camera video storage, tips for reducing security guard turnover, and 
FDA & DHS blessing of security technologies. 


All papers are anonymously peer reviewed unless otherwise noted. We are very grateful 
indeed to the reviewers who contribute their time and expertise to advance our under- 
standing of security without receiving recognition or compensation. This is the true sign of 
a professional! 


Past issues of JPS are available at http://jps.rbsekurity.com, and you can also sign up 
there to be notified by email when a new issue becomes available. A cumulative table of 
contents for the years 2004 through 2022 is available at http://rbsekurity.com/ 

PSArchives/grand jps TOC.pdf 


JPS is hosted by Right Brain Sekurity (RBS) as a free public service. RBS is a small 
company devoted to physical security consulting, vulnerability assessments, and R&D. 


(http://rbsekurity.com) 


As usual, the views expressed in these papers are those of the author(s) and should not 
necessarily be ascribed to their home institution(s), employer, other authors in this issue, 
the editor, JPS, or Right Brain Sekurity. Similarly, the views expressed in these editor’s 
comments are his own and should not necessarily be ascribed to other authors in this issue 
or to any fully sensible individual. 


KK KKK 


Uvalde 


It is easy to Monday morning quarterback an active shooter incident, especially when you 
are not the one at risk or in the middle of a chaotic and frightening situation. At least as of 
this writing, there nevertheless appears to be some lessons that need to be learned from 
the Uvalde school shooting. 


Ever since Columbine 22 years ago, the recommended protocol for dealing with an active 
shooter has emphasized the Prime Directive: law enforcement and security first 
responders—if they are armed and possibly if they are not—must immediately attempt to 
neutralize the active shooter. Do not wait for backup. Do not wait out the situation. Do not 
seek negotiations. Do not focus on evacuating potential victims or on the wounded/dead. 


Journal of Physical Security 15(1), i-xi (2022) 


This Prime Directive is widely believed to be the best chance to optimize the safety of 
innocent victims and save their lives. It does not optimize the safety of the first responders. 
But running towards the danger is what the job calls for, what security and law 
enforcement personnel are being paid for, and is a sacred responsibility if you sign up for 
that kind of service. 


Many of the security and law enforcement personnel on the scene at Uvalde reportedly 
had recent active shooting training that presumably included the ideas contained in the 
Prime Directive. Nevertheless, about 140 armed personnel, many with body armor, 
reportedly waited for an hour or so before an ad hoc group including federal agents 
overruled local law enforcement and engaged with the shooter. 


What potential lessons can we learn from this incident? 


1. Active shooter training did not appear to work well in this case, at least as far as the 
Prime Directive is concerned. Clearly more effective training is necessary that will provide 
the proper motivation in an emergency. (1) Was the training only in the classroom, with no 
field practice? (2) Should active shooter training contain warnings and case studies of the 
formal and informal damage to the careers and reputation of security and law enforcement 
officials who failed to act in accordance with their active shooter training, never mind the 
victims? 


2. Concerns about communication, organization, and a chain of command are important 
but in this case, they seemed to have gotten in the way of taking necessary action in a timely 
manner. Surely there needs to be a discussion of when qualified SWAT, state, and federal 
officers need to overrule local jurisdiction to engage an active shooter in a timely manner. 
Reportedly, law enforcement officers failed to act because of the orders from the local 
incident commander, who was not even in their line management. 


3. The back door of the school was reportedly meant to be locked but the locking 
mechanism did not work. Locking external doors is not a foolproof countermeasure, but it 
might have meant the shooter would have entered the school at the main entrance, and 
have been detected sooner. Good security policies are useless if they are not followed or if 
the hardware does not work as intended, as appears to have been the case. 


4. There reportedly was a lack of preparation. The incident commander supposedly did 
not have a police radio and 911 calls were not shared with him. A Master key could not be 
accessed quickly. Body armor and breach hardware were seemingly not readily available. 
The back door locking mechanism may not have worked properly. These things together 
would seem to be an example of Michener’s Maxim: We are never prepared for what we 
expect. And nowadays, school mass shootings must—tragically—be something we expect. 


In public discussions, however, about gun violence in the U.S. involving children, it is 
probably worth noting that, according to the CDC, “Less than 2% of these homicides occur 
on school grounds, on the way to/from school, or at or on the way to/from a school- 
sponsored event.” Mass shootings notwithstanding, schools remain the safest place for 


Journal of Physical Security 15(1), i-xi (2022) 


most students in terms of all risks, not just gun violence risks. See: https://www.cdc.gov/ 
violenceprevention/youthviolence/schoolviolence/SAVD.html 


Between 2015 and 2019, nearly 8,000 children and teens on average were shot and more 
than 1,600 died each year. (This is more than 22 and 4 per day, respectively.) Of those who 
died, 52% were murdered, 40% died from gun suicide and 5% were killed accidentally. 
Guns are now the leading cause of death in the U.S. for young people. See https:// 
www.nprorg/2022/05/28/1101307932/texas-shooting-uvalde-gun-violence-children- 
teenagers 


RK KKK 


Looking for Trouble 


One of the techniques that experts recommend for evaluating personal risks is to seek out 
information, experts, and other people that contradict your assessment of a given risk. Even 
if wrong, the opposing viewpoints may force you to think more critically about the true risk. 
We tend to surround ourselves with people who make the same risk assessments that we do, 
so alternative viewpoints are a good idea. 


This philosophy also makes sense for enterprise security. A devil’s advocate approach is a 
good vaccine against the complacency, arrogance, and cognitive dissonance that so often 
plagues security programs. 


KK KKK 


Dealing with Dissonance in the Cogs 


Properly dealing with Cognitive Dissonance—the mental tension between what we want 
to believe and what is probably true—is a huge problem in security, especially in large 
organizations. As Robert Ringer puts it, “Reality isn't the way you wish things to be, nor the 
way they appear to be, but the way they actually are.” Or as the great philosopher Yogi 
Berra (1925-2015) put it more succinctly, “Nothing is like it seems, but everything is exactly 
as itis.” 


RK KKK 


Don’t Fear the Anxiety! 


"Anxiety evolved to help protect us," says Suzuki, a professor of neural science and 
psychology at the Center for Neural Science at New York University. "We need to recalibrate 
our level of anxiety to get it back to that level where it is superprotective for us." For more 
information, see https://www.nprorg/2021/09/07/1034777586/good-anxiety-benefits- 


coping-strategies 


iii 


Journal of Physical Security 15(1), i-xi (2022) 


This is something to keep in mind with security. Complacency is the enemy of good 
security. A reasonable amount of anxiety about your security is a good thing. We should 
not get too comfortable. The old saying has it right: If you are comfortable with your 
security, so are the bad guys. 


RK KKK 


Muse over See Ems 


This is an excellent guide for improving museum security that contains ideas important 
for other types of security as well: 
https://www.tepapa.govt.nz/sites/default/files/te_ papa museum secrurity resource guide zv7_1.pdf 


KK KKK 


Tipping Point 


Silva Consulting has posted quite a number of thought-provoking blurbs full of security 
tips. These are well worth checking out: https://www:silvaconsultants.com/security-tips 


RK KKK 


Safety vs. Security 


I think Safety Professionals should always have input on Security (and vice versa), 
including helping to identify targets and consequences of attacks. And techniques (such as 
Vulnerability Assessments) used for SECURITY Analysis might have applicability to SAFETY. 
(See, for example, RG Johnston, “Adversarial Safety Analysis: Borrowing the Methods of 
Security Vulnerability Assessments”, Journal of Safety Research 35, 245-248 (2004), 


https://pubmed.ncbi.nlm.nih.gov/15288557/.) 


But in my experience, when Security is managed by Safety Professionals using Safety 
thinking and tools, it almost always results in a train wreck. Why is that? Well, Security 
often fails when Security Professionals don't focus on the adversaries, their resources and 
goals, vulnerabilities, and likely attack scenarios. Safety Professionals don't have an 
adversary to deal with, so they automatically overlook malicious adversaries. (Employees 
who ignore or flaunt, or who don't know about Safety rules, are not adversaries—they are 
just dolts in a bad safety culture. If they were malicious with deliberate intent, they would 
be saboteurs—a matter for Security not really Safety.) 


In my view, too many organizations, especially for nuclear security and safeguards, try to 
manage security using safety analysis tools and models, safety mentality, and safety 
personnel. Really not a good idea! 


It is easy to understand why a Safety approach would be preferred to a Security 
approach. Safety—while no walk in the park after Sunday school—is still easier and less 


Journal of Physical Security 15(1), i-xi (2022) 


threatening to managers and organizations than thinking profoundly, creatively, and 
realistically about Security. But Security is not well served by taking the easy way out. 


KK KKK 


Tag, You’re It! 


Tags are the often misunderstood cousins of seals. (Not that seals are typically well 
understood, either!) A tag is an applied technology or an intrinsic feature that uniquely identifies 
an object or container. There are basically 5 kinds: 

¢ informational tag (security may or may not be an issue) 

* inventory tag (no malicious adversary) 

* security tag (counterfeiting & lifting are issues) 

¢ buddy tag or token (only counterfeiting is an issue) 

* anti-counterfeiting (AC) tag (counterfeiting & sometimes lifting or dilution are issues) 


Depending on their type, use, and design, both tags and seals may be susceptible to 
counterfeiting, lifting, or dilution. “Lifting” is removing a tag or seal from one object or 
container and placing it on another, without being detected. “Dilution”, often used to attack 
high-tech AC tags, involves removing part of the tag or seal and using it on a counterfeited one 
such that there is enough of a legitimate signal to fool the tag or seal reader. 


There is considerable overlap between tags and seals. Sometimes security tags are used as 
tamper-indicating seals and vice versa. Sometimes flag seals (no malicious adversary) are used 
as inventory tags and vice versa. In international nuclear safeguards, arms control treaties, and 
certain other applications, tamper-indicating seals may also be used as buddy tags or as AC tags 
to determine if an item is authentic or original. Tags and seals also often share some common 
modes of attack. 


I recently learned of a ubiquitous kind of tag that I had been totally unaware of, namely pole 
tags. Pole tags can be found on telephone and power poles to identify the pole so you can report 
a problem. The tags may also provide certain information such as whether the pole is safe to 
climb for repairs and how the wood was treated for rot. For more information and some rather 
cool pictures of pole tags, see: 
https://www.reddit.com/r/whatisthisthing/comments/bh22na/metal_ plates_on telephone pole with letters _and/ 

and 


https://premaxlp.com/all-the-products/custom-pole-tags/ 


KK KKK 


Smart Tags to Help the Bad Guys 


Journal of Physical Security 15(1), i-xi (2022) 


Apple AirTags are meant to be attached to important items such as car keys. You can then use 
your iPhone to find them. Crooks, however, are apparently using Apple AirTags to track or stalk 
people and their cars. See, for example: 


https://www.komando.com/security-privacy/apple-airtag-stalking-prevention/826083/ 


https://www.theverge.com/2022/3/1/22947917/airtags-privacy-security-stalking-solutions 


KK KKK 


Smart Home Hack 


A device for hacking and assessing smart home and other security devices: https:// 
gizmodo.com/this-unassuming-little-device-can-hack-your-smart-home-1846448809 


KK KKK 


Is it Cheating if the Idea Just Comes Into Your Head? 


A medical student has been caught allegedly trying to cheat with a Bluetooth micro- 
receiver surgically implanted in his ear while taking an exam in India. Cheating is reportedly 
a problem with India’s highly competitive medical school exams. See https: [L 

il.co.uk 0543 


davies: -surgically- ean lasited: ear-India.html 


RK KKK 


Every Wall is a Door 


The U.S./Mexico border wall has been breached more than 3,000 times by Mexican 
smugglers in the past 3 years, mostly using inexpensive power tools available at hardware 
stores. See https://www.washingtonpost.com/national-security/2022/03/02/trump- 


border-wall-breached/ 


KKK K 


Toxic Shock Syndrome 


A new study suggests high employee turnover is driven at least partially by employers’ 
toxic culture: https://sloanreview.mit.edu/article/toxic-culture-is-driving-the-great- 
resignation/ High employee turnover is a huge productivity, cost, and security problem for any 
organization, but especially for those that deploy security guards and other security 
professionals. 


vi 


Journal of Physical Security 15(1), i-xi (2022) 


Contributing to a toxic culture is the fact that narcissists tend to move up in organizations 
eae 


ladder nail 


KK KKK 


Boring! 


Contagious yawning may be a social communication tool specific to higher-order animals: 
https://www.houstonmethodist.org/blog/articles/2021/feb/why-do-we-yawn-and-are- 


yawns-really-contagious/ 


Can yawn detection be used as a metric for empathy and alertness in security personnel? 
RK KKK 


Well at Least He Wasn't Sitting Around Doing Nothing 


A bored security guard ruined a nearly $1 million painting during his job at a Russian art 
gallery: 


eee -draws- epee ace es -figures-Russian-gallery.htm] 


https: //www.theartnewspaper.com/2022/02/11/russian-guard-who-doodled-on-dollar1m- 
painting-speaks-out-im-a-fool-what-have-i-done 


KKK KK 


Finding Yourself 


A “missing” man accidentally joins a search for himself: https://www.bbc.com/news/ 
world-europe-58746703 


KK KKK 


Hey, You “**#!*_#4!, Its Now “Y7#jfE4!Z*$ps7”, Not “Y7#jfE4!Z*$ps6”! 


Is forcing computer users to frequently change their long, gibberish passwords a good 
idea? See 


aah oped now-in- -2022/ 


vii 


Journal of Physical Security 15(1), i-xi (2022) 


KK KKK 


Let’s Envision Our Lack of Imagination! 


In 1898, Morgan Robertson wrote a book about a large, supposedly unsinkable British 
passenger liner that hit an iceberg during a trip across the North Atlantic and sank. In the 
story, there were many casualties because of a lack of enough lifeboats. This was 14 years 
before the real Titanic sank. The book's title was The Wreck of the Titan. See https:// 


en.wikipedia.org/wiki/The Wreck of the Titan: Or, Futility 


Tom Clancy famously “predicted” 9/11 in his 1994 novel, Debt of Honor: https:// 


www.mcdonoughvoice.com/story/opinion/columns/2014/09/09/7-vears-warning- 
on-9/36497432007/ This novel was used as one of many arguments against National 


Security Adviser Condoleezza Rice’s claim that “no one" could have predicted that someone 
would use a “hijacked airplane as a missile.” 


Fictional novels have often eerily predicted the future with considerable accuracy: 


https://time.com/5380613/books-predict-future/ The same has been true of science fiction 


stories. 


RK KKK 


We Need More Magic! 


We need to be better aware of the limitations of our perceptions, and how they can affect 
security. If it was up to me, I would require all security personnel to be exposed to magic 
demonstrations, and the misdirection and psychological i issues that magic exploits. See, for 
example, https: 


free-will/vp-AAVHYpv 


RK KKK 


Oughta Audit Good 


In my experience, auditing employees for mindless compliance with security rules, 
policies, regulations, guidelines, and standards is often more wasteful Security Theater than 
it is an effective security tool. But itis worse than that. When auditors strive to nitpick, 
“catch”, and slam employees who are accused of not fully enacting security requirements 
mandated by high-level bureaucrats with no understanding of the local conditions or 
culture, and when there is no local sanity check on these requirements, security becomes 
the enemy of productivity and of employees. Auditors and the bureaucratic secret police 
then come to be viewed as the enemy; focus is taken away from worrying about the true 
adversaries. 


viii 


Journal of Physical Security 15(1), i-xi (2022) 


What should good security auditing look like? In my view, employees should be asked to 
demonstrate to auditors that they have good security. If employees wish to invoke the 
security rules as part of that, so be it. But if employees have different/alternative/ 
additional ideas and practices that permit good local security, they should be encouraged to 
point those out. Auditors should ask employees how they think their security could be 
attacked, and how it can be made better, but also ways to make it less intrusive, cheaper, 
and less of a hassle. 


Auditing should not be about bashing heads, but be more about 
praising employees when there is good security, and having 
cooperative discussions about local security. This, however, requires 
auditors, security managers, and organizational leaders who aren't 
uninformed authoritarian nitwits. And it requires recognizing that 
security is always about the details and the local conditions, not about 
threating employees or one-size-fits-all thinking. 


RK KKK 


Sinusoidal Oscillations 


Sicklical Maxim: Security is cyclical. First there is complacency, Security Theater, and 
insufficient attention/resources devoted to security. Then a serious security incident 
occurs. This results in overreaction, scapegoating, and new, even sillier kinds of Security 
Theater. The increased attention and resources that result eventually decay away over 
time, leading us back to where we started. The cycle starts anew! 


For hundreds of other sad but true Security Maxims, see: https://www.amazon.com/dp/ 
BO8C9D73Z9 


KK KKK 


Getting High with the FBI 


The FBI will now reportedly accept candidates for employment who have smoked pot in 
the past, as long as it is no more than 24 times after turning 18 years of age. Not clear why 


24 is the magic number. See https: 
smoke-weed-24-times-after-you-turn-18-you-cant-work-for-the-agenc 


Seems to me that the FBI is being overly picky about who works there, given the many 
decades of misconduct and massive screwups from the folks who already work there. See, 
for example: 

https://autos.yahoo.com/another-fbi-failure- larry -nassar- 203948483. html 


htt Ss: bistvense, com/2018/01/12/top-10-fbi-fails 


Journal of Physical Security 15(1), i-xi (2022) 


These links mostly don’t even cover some of the earlier corruption and incompetence 
such as the following: In the past, the FBI Lab has falsified, altered, or suppressed evidence; 
FBI employees on the witness stand made false scientific claims that may have led to the 
wrongful convictions of hundreds; there were multiple cases of forensics incompetence 
(including false terrorist accusations against Oregon lawyer Brandon Mayfield); FBI agents 
and former agents have been arrested for various types of misconduct including leaking 
classified information and federal child pornography violations. Then there is sexting by 
FBI employees on the job; hundreds of FBI employees allegedly cheating on exams; the 
botched Lee Harvey Oswald interrogation; the Wen Ho Lee espionage debacle; the decades 
of inept efforts to find an alleged Soviet FBI mole named “Dick”; and the FBI ignoring 
warnings from its own agents that might have prevented 9/11. 


But wait, there’s more! According to a recent FBI internal report, from 2010 to 2012, the 
FBI disciplined over 1,000 employees for (often lurid) misdeeds. After 9/11, the FBI 
collected intelligence on Americans without the required court orders, and from 
1950-1970+, the agency engaged in surveillance and harassment of civil rights groups, 
women’s organizations, and war protestors. 


Meanwhile, the Secret Service has hardly been free of serious screw ups, misconduct, 
corruption, and training deficiencies. The agency purportedly still has a flawed culture and 
other problems: 


KK KKK 


It Takes an Artist 


Practical tips for stealing art: 


https: //www.ga.com /story/secrets-of-the-worlds-greatest-art-thief 


RK KK 


Never Work with Children or Animals (or Knuckleheads) 


Weirdest things that TSA screeners have caught: https://discovernet.io/2021/09/11/ 
weirdest-things-caught-by-airport-tsa/ 


Security Theater luggage locks: https://www.travelandleisure.com/travel-tips/luggage- 


locks-useless 


Journal of Physical Security 15(1), i-xi (2022) 


i 
Retail Security Theater: https://guardtime.com/blog/6-reasons-why-encryption-isnt- 
working 


Security Theater fencing: https://danielmiessler.com/blog/the-strange-world-of-good- 


enough-fencing/ 


Security Theater fencing 2: https://tiphero.com/useless-security-measures 


Do RFID-Blocking wallets make any sense?: https://losspreventionmedia.com /are-rfid- 
blocking-wallets-necessary-to-prevent-credit-card-theft/ 


Why encryption doesn’t work: https://guardtime.com/blog/6-reasons-why-encryption- 
isnt-working 


Crazy see) eh stories: sie Laeencumap ies com /eric- cima eras ae 
ie 


Crazy Zoo incident stories: https://www.tickld.com/wow/2445999 /zookeepers-share- 
the-craziest-thing-to-happen-on-the-job/ 


RK KKK 


-- Roger Johnston 
Oswego, Illinois 
June, 2022 


xi 


Journal of Physical Security 15(1), 1-13 (2022) 


ZigBee Jamming 


John T. Jackson, Jr., MS 
Jackson Research 


www.jrmagnetics.com 


Abstract 


ZigBee is a popular wireless network protocol for home security systems. It is well known to 
be quite insecure from a hacker’s perspective. However, security professionals often fail to realize 
that the easiest method for compromising ZigBee home security networks is often overlooked in 
favor of by more complicated attacks. Jamming is just one out of many various “Deep 
Penetration” methods. Although there are many different methods for jamming wireless 
networks, the simplest jamming method for ZigBee is also probably the most effective. An 
intruder does not need a Ph.D. in computer science to successfully penetrate a ZigBee home 
security system with basic jamming. 


Introduction 


ZigBee wireless networks share the 2.4 GHz to 2.5 GHz frequency band with WiFi and 
Bluetooth. There are 14 WiFi channels, 80 Bluetooth channels and 16 ZigBee channels all 
occupying the same space in the electromagnetic spectrum. How they are distributed between 
2.4 GHz and 2.5 GHz is shown in Figure 1. I do not cover the various methods of network deep 
penetration on all protocols as it is extensive and can be quite complicated. In this paper, I do 
discuss in basic terms the various means of jamming. I supply sufficient references for those who 
want to delve deeper into the more sophisticated jamming methods. In this paper, I focus on the 
jamming method technique that I believe is most effective against ZigBee networks for intrusion, 
which just happens to be the simplest overall. The system I used to jam my own ZigBee network 
is described herein, including information about both the hardware and software. 


It is important to note that WiFi and Bluetooth are rarely used in physical security systems for 
several reasons. WiFi and Bluetooth are designed to traffic data, while security sensors usually 
only transmit binary states and very little information. WiFi and Bluetooth consume so much 
power that battery operated systems are impractical for WiFi and require Bluetooth recharging 
every few hours, making them also impractical for wireless sensors. ZigBee was created to 
handle this problem of distributed sensors in an industrial environment and has now become 
popular in the physical security market for these same reasons. ZigBee sensors are very low 
power, which limits their range and sometimes requires repeaters in larger networks. The chips 
in these devices have very limited memory and restricting firmware size, which is also consistent 
with keeping power consumption very low to extend battery life to one year or longer. ZigBee 
security components usually use coin batteries that require power conservation to extend life. 
This also means encryption is generally not available. 


Journal of Physical Security 15(1), 1-13 (2022) 


Jamming WiFi [1] or Bluetooth sets off pop-up windows on the video monitor of computers 
using wireless networks, alerting the user that communications have been disrupted. Since WiFi, 
Bluetooth, and ZigBee all use the same frequency range, jamming will interfere with any 
communications device operating within the frequency of the jamming hardware. Breaking and 
entering usually occurs when the facilities are vacant so that WiFi and Bluetooth communications 
are either turned off or not being monitored. When the physical security systems using ZigBee 
are jammed, no one will be alerted. ZigBee has no means to know when any sensors are not 
functional for any reason, including being jammed. ZigBee sensors are not polled to save battery 
life and do not have the firmware space to do that anyway. Every time a battery is changed in a 
ZigBee sensor, it must be paired again with the controlling hub. This can be quite problematic, if 
required ona frequent basis. Therefore, computations and communications with sensors are 
kept at an absolute minimum. ZigBee systems are thus usually not too difficult to breach, and are 
obvious candidates for jamming. No one would know that any particular sensor is not working or 
is being jammed. The intruder could just walk in and walk out without detection. 


Entire home control systems have been built upon Internet of Things (IoT) ZigBee devices, 
including heating and air conditioning. Interfering with lights and other apparatus, i.e., 
“spoofing”, does not imply that hacking the system can easily allow an intruder to defeat the 
physical security system that is integrated into the network. Magnetic contacts and motions 
sensors do not have on/off switches. They have binary states based upon sensor behavior. The 
intruder would have to know the layout of the entire system and have spent considerable time 
monitoring the system while in use and develop a strategy. Most security sensors will not be 
vulnerable to this kind of attack. 


The best way to compromise the ZigBee hub is to gain access to the operating system through 
its Internet connection. The sensors cannot be reprogrammed, but the hub can. However, for the 
least amount of effort and expertise, the easiest way to break an entire a ZigBee physical security 
system is to jam the ZigBee system so that the hub is deaf, dumb, and blind. Jamming requires no 
special skill or elaborate reconnaissance. 


Real Signals versus Ideal Representations 


The graphical ZigBee channel representation in figure 1 does not show the side lobes of an 
actual ZigBee signal as shown in figure 2. The two side lobes actually spread outside the channel 
range beginning at the specified channel frequency boundaries. This makes operating adjacent 
ZigBee channels problematic. 


WiFi signals also have side lobes as shown in figure 3. Side lobes can be reduced using 
bandpass filters. However, this conflicts with the existence of the adjacent channels and channel 
hopping. A bandpass filter would block all other signals in the band. Consequently, all of the 
signals, regardless of the protocol, will have side lobes. Even with the WiFi channels staggered as 
shown in figure 1, there will be overlap of side lobes as shown in figure 4. It should also be clear 
from figure 4 that WiFi channels 1 and 6 will interfere with one another. 


Journal of Physical Security 15(1), 1-13 (2022) 


802.11b/g 
2412 j 2437 “9462 
——22 MHz—_% Bluetooth 


2405 : 2440 2480 
2400Mhz 2485Mhz 


Fig 1 - Wireless Protocol Overlap [2]. 


7 Density 
Scale/Div 8 dB Ref Level -20.00 dBm 


1 


Center 2.450000 GHz Span 10.000 MHz 
Res BW 48.0 kHz #Acq Time 15.00 ms (821 pts 


Fig 2 - Typical ZigBee Signal on Channel 20.[3] 


ZigBee and Wi-Fi channel numbers may seem similar, suggesting that they won't overlap. 
Unfortunately, this is not the case. Just look at figures 3 and 5. The ZigBee signal also has side 
lobes so that both signals are mutually interfering even if staggered as shown in figure 6. 
However, the ZigBee signals are low power by design. This means that weak WiFi signals are still 
capable of over-powering adjacent ZigBee signals. 


A situation where there is only one WiFi router, just a few Bluetooth devices, and one ZigBee 
server within range is rare. In my lab, my equipment sees 6 WiFi routers, 11 Bluetooth devices 


Journal of Physical Security 15(1), 1-13 (2022) 


and 1 ZigBee server. Five of the WiFi router signals and all of the Bluetooth signals are coming 
from neighbors. 


At a high-rise business complex on the seventh floor, I observed over two dozen WiFi routers 
and uncountable Bluetooth devices. That any of them work is only possible due to time sharing. 
Clearly, all traffic is very slow. The Bluetooth clicker for advancing the power point slides on the 
screen in a presentation only works half of the time. Large file transfers in this environment are 
not practical. A jammer in the high-rise office building environment could take down 75% of the 
traffic. In fact, it could be difficult to detect any kind of jammer in that cluttered environment. 


7 Density 
Scale/Div 8 dB Ref Level 0.00 dBm 


Wr TTY! TR heheh bi Ak die fi A 
y ‘ja 


Center 2.46000 GHz Span 50.000 MH; 
Res BW 240 kHz #Acq Time 15.00 ms (821 pts 


Fig 3 - ZigBee narrow band signal on the left, WiFi wide band signal on the right [3]. 


Interference versus Jamming 


In practice, for a home security environment, the home could have dozens of ZigBee devices 
and probably just as many Bluetooth devices. Some homes have more than one WiFi router 
running. There would clearly be an interference affect similar to jamming. The reason everything 
still gives the appearance of continuous operation is that all devices are slowing down to find 
openings in the wireless traffic, time sharing, so they can send and acknowledge successful 
communications. 


The difference between jamming and interference is that the jammer can continuously 
transmit. The jammer is not waiting for a space in the clutter to transmit. However, any detector 
could have trouble differentiating between a jammer and clutter in such an overwhelmed system. 
A home environment may have many devices, but most of them will not be trying to transmit all 
at once. 


Journal of Physical Security 15(1), 1-13 (2022) 


1 6 ll 


Fig 4 - The most common WiFi channel distribution.[8] 


WiFi's three non-overlapping channels (1, 6, and 11) use the exact same frequencies as ZigBee 
channels 11-22. ZigBee channels 25-26 aren't immune either, because they can be caught in WiFi 
channel 11's sideband lobe. ZigBee channel 26 is usually relatively unaffected by WiFi, but many 
ZigBee devices do not support it. 


Fig 5 - A Default WiFi Distribution with Overlayed ZigBee Channels [8]. 


To avoid interference from WiFi networks, a ZigBee network can be configured to only use 
channels 15, 20, 25, and 26, avoiding frequencies used by the commonly used WiFi channels 1, 6, 
and 11 as shown in Figure 6. Home Assistant—which is widely used, open source software for 
home automation and security—uses channel 15 as a default. This only works due to time 
sharing. 


c # £ ££ # ££ FF F OF FF ERE REREB 
o = = = = = = = _ = = = = _ = = = 
w w w w wo w w w 
> eee @eeeeeEeEeEeREeEeESE & 
~ N N N N N N N N N N N N N N N N 

am 
x a N ~” 2 rT) © 6 ) a ° 4 N al z wn © 
oe) co co ci ot S| Saal ci co ci N N N N N N N 
f : f f f f : f\ : f 
, , y ‘ A A , , yy , 

4 Wie 

ANIA ANIA AN ALANA ARIA AANA 
L ANY UY AVA AANA 
AW AAW Bigg 
IEEE 802.11 \ Z \EEE 802.11 ( Z| IEEE802.11 \ Y Y 
Ch1 g Ch6 Wt Chi1 ] g Y 
§ RodnnmemonaaS gag Is4sSsAQad Ash SnSABasasHgsg 
CHPPPPPSRSPASAHPSA SPAR AHR Ee eee eee eeees 
§ Ae eeanssaanssaenseeecssesnaseeassecaseee 
PEEP EPP ECEEEEPEEEEEEEEEEEEEEEEEEEEEEE 


G BLE 802.15.4 


Fig 6 - Wireless Channel Delegation in Crowded Environment 


Journal of Physical Security 15(1), 1-13 (2022) 
Types of Jamming 


There are many types of jamming techniques as listed in table 1.[3] I have included references 
[5-9] for those who would like to dig deeper. The type of jammer used depends upon the 
scenario. In this case, the attacker is targeting a ZigBee home security system. My experiments 
with the Home Assistant and studying its documentation does not reveal any means to detect any 
kind of jammer. I am unaware of any consumer home security systems advertising jammer 
detection, including open source systems. For purposes of discussion the rest of the paper, I will 
assume no jamming detection is present. 


The target market for ZigBee security is price sensitive, and the consumer is not usually a 
computer scientist, so there will be minimal to no effort made developing a sophisticated jammer 
detection system. Development of such systems is time intensive and requires expert engineers 
that affect development costs. This pervasive attitude keeps the level of security in the home 
security market very low to non-existent. 


This situation encourages jamming to defeat a ZigBee home security system. Jammer detection 
is not an issue. The jammer must be able to switch channels and jam on different bandwidths 
continuously. One jammer that does this and does not require sophisticated programming skills 
and prevents security system communication is the Pulsed Noise jammer in table 1. 


Table 1: Classification of jammers.[4] 
Energy Single Multiple 


Jammer Proactive Reactive efficient channel channel 
Constant x x 

Deceptive x x 

Random x xX x 

RTS/CTS 

jammer 7 * 

Data/ACK 

jammer - ‘ 

Follow-on x xX x 

Channel 

hopping ‘i . 
Pulsednoise = x a 
Control 

channel cs . 7 7 i 
Implicit x x x x 
Flow-jamming x x x x x 


Journal of Physical Security 15(1), 1-13 (2022) 


It is unreasonable to believe that jammed peripherals could inform the hub or coordinator that 
jamming is occurring. How would they communicate that to the coordinator when they are being 
jammed? That means the coordinator must handle the problem alone. Even if the coordinator 
suspects jamming is occurring, it could be problematic to confirm until it stopped. This is 
especially true in a crowded environment. The coordinator would have a difficult time 
determining the difference between interference with WiFi and Bluetooth and our jamming 
signal. 


The Hardware and Software 


I will assume that the attacker, i.e., the jammer user, is not a computer scientist. He could be a 
teenager. The cost must be minimal and within reach of a teenager’s budget. The knowledge 
needed to operate the system must be readily available on the Internet. The actual equipment 
must be portable and easily concealed. 


The software should ideally be free and open source with binaries so that compiling from 
source code is not necessary. Whsniff is an exception and may need to be compiled; Instructions 
are provide by the Github site.[10] The computer could be a laptop, but a Raspberry Pi is 
preferred, as it is widely used and is the simplest to implement. The Raspbian operating system 
is preferred in this application, if using the Raspberry Pi. If using a laptop, Ubuntu is preferred. 
Most of the required software can be installed from a menu by either the software management 
system or by Synaptic. This hardware software combination is also the least expensive by far. 


The hardware list is short: 


1) Raspberry Pi 4B+ 


2) Raspberry Pi Touch Screen 
3) Texas Instruments cc2531 sniffer 
4) HackRF One SDR, output power 14 dBm 


5) RF Power Amplifier Analog Devices CN0417, 
ean 200 Fig 7 - TI cc2531 sniffer. 


6) Directional Antenna covering 2.4 GHz to 2.5 GHz 


A SDR is required to generate the jamming signal. The RTL-SDR upper frequency limit is 
around 1.7 GHz which is too low. The BladeRF has a conflict with the gnu-radio Osmocom signal 
generator software. The only SDR I had in stock that produced a reasonable jamming signal was 
the HackRF One with a 14 dBm transmission power in that bandwidth. The output power level 


Journal of Physical Security 15(1), 1-13 (2022) 


was marginal and would not work over an extended distance, so I added a RF power amplifier on 
the transmitter (Tx) port. 


The TI cc2531 sniffer, figure 7, is required to determine the ZigBee channel used by the target 
home security system. It may need to be “flashed”.[12] The channel being used will determine 
the center frequency used by the osmocom jammer command. The sniffer version with an SMA 
connector will allow a directional antenna to be connected until the operating channel is 
determined, thus greatly increasing its range. The antenna cable can then be switched to the RF 
power amp output port. 


The software list is also short: 
1) Raspbian 64 bit version on a 32 GB SD card 


2) Full gnu radio and osmocom applications preferably installed from Synaptic software 
manager 


3) whsniff [10] may require compilation 
4) wireshark installed from Synaptic 


Figure 8 shows the jammer based on a regular video monitor, keyboard, and mouse. It has the 
dual purpose of monitoring the open source system dashboard on my local network while I am 
experimenting with the SDR signal generator. The jammer video monitor is showing the targeted 
security system Node-Red dashboard in the upper right corner of the monitor so that I can watch 
to see when the coordinator stops responding to the motion sensor and magnetic contact. 


Figure 2: Jammer Laboratory Setup 


Journal of Physical Security 15(1), 1-13 (2022) 


My security system uses a Conbee II adapter, approximately 9 dBm transmission power, 
connected to a second Raspberry Pi 4B+ that does have a touch screen and is running the Home 
Assistant operating system, which is connected to my local network. It hosts the Node-Red server 
as an add-on module to Home Assistant. 


Fig 9 - Directional Yagi WiFi Antenna. 


Verte 9B bee AUT AZ ieegyl 
. , 


Be eee 
ET 


Fig 10 - Anechoic Chamber Fig 11 - Antenna Directional Gain 


The Yagi directional antenna, shown in figure 9, was chosen which has a maximum direction 
gain of 14 db as shown in figure 11. It was measured in an anechoic chamber shown in figure 10. 
The range is line-of-sight. This means that anything between the transmitter (jammer) and the 
target reduces the gain and hence the range. There are well known means for estimating the 
power loss depending upon the obstacles. Metal objects can block the signal entirely, such as a 
large truck. 


The HackRF (14 dBm) combined with the amplifier (20 db), and the directional antenna (14 
db) provide a signal power of 68 db overall in direct line of sight. ZigBee radios usually have a 


Journal of Physical Security 15(1), 1-13 (2022) 


transmission power of 1 dBm providing a range of approximately 30 meters between it and the 
hub (receiver). Estimating jammer signal strength at the hub will depend upon distance from the 
hub and obstacles between them. The entire system will be overwhelmed if there is 10 dBm 
jammer signal at the hub. However, only a 10 dBm jammer signal will typically be needed at the 
sensor nearest to the hub, though very situation will be unique. 


Figure 12 shows the 2.4 GHz to 2.5 GHz spectrum when the jammer is off. The traffic is 6 WiFi 
channels and possibly a dozen Bluetooth channels. This is a noisy environment. The high-rise 
office building was far worse. It is amazing that a ZigBee network could operate in this 
environment, but it does. Occasionally, a peripheral signal does not get through. 


The jammer is turned on by typing the following command [11] in the lower right terminal 
window: osmocom_siggen -a hackrf. 


The Osmocom control panel, shown in figure 13, is displayed on the left showing operational 
settings. It is set for Uniform Noise centered at 2.425 GHz with maximum gain and 12 MHz 
bandwidth. 


The very large peak centered at 2.425 GHz in the spectrum seen in figure 14 is the jammer 
noise signal. The jammer noise takes up more than half of the spectrum. Of course, the observed 
noise spread is much wider that the 12 MHz set in the Osmocom control panel. The side lobes are 
huge. The only signal not affected is one WiFi channel. Everything else is suppressed. There are 
no ZigBee or Bluetooth signals. 


10 


Journal of Physical Security 15(1), 1-13 (2022) 


Count 


Mag Contact 


Fig 13 - Raspberry Pi Screen Shot. 


Fig 14 - Jammer Signal. 


The entire ZigBee network became completely non-responsive. There was an apparatus in the 
laboratory communicating data to a local computer over WiFi on channel 7. It also dropped out 


11 


Journal of Physical Security 15(1), 1-13 (2022) 


with red character warnings on the video screen. Some of the Bluetooth devices also became 
inoperative but not all of them. 

On my ZigBee network, none of the peripherals transmitted anything after the jammer signal 
was terminated. It was as if nothing had ever happened. On my home security system, there was 
no forensic evidence of any break in. 


Discussion 


I have demonstrated the effectiveness of the most basic intrusion attack on a ZigBee home 
security system, jamming. Of the various jamming methods, this simplest requires the least 
number of apparatuses. The technology is inexpensive, and requires little knowledge of 
computer science. As fate would have it, this attack is probably the most effective means of 
penetration into a ZigBee home security system. 


An intruder would likely use this method if his only objective is to get in undetected and get out 
with the least amount of effort and expense. It is worth nothing that while operating this jammer, 
some of my WiFi communications in the immediate area also went down displaying alert 
messages in bold red letters. Anyone using WiFi that is being jammed will know immediately 
that communications have been lost and start looking for answers. Moreover, detailed analysis 
suggests that weaponizing the concept could be complicated and not the most critical physical 
security threat.[1] 


On the other hand, security systems generally avoid using WiFi components by design for 
obvious security concerns. Home Assistant deploys only wired Ethernet connections for that 
very reason, although attack scenarios are still possible. A serious problem with wireless 
technology for network security is that most people do not recognize the very real threat 
connection to ZigBee and Z-Wave vulnerabilities in their use of wireless physical security 
systems. 


While there are many signal generators that can do the same thing, a Software Defined Radio 
(SDR) is compact and can be operated by simply plugging it into a laptop offering complete 
customized portable control. It is the perfect electromagnetic weapon against ZigBee when used 
in conjunction with minimal accessories. 


It may be noted that military and intelligence agencies are well aware of issues related to RF 
jamming as exemplified by the numerous published papers previously mentioned on this subject. 
The jamming technique described herein may be illegal in some countries. However, keeping this 
kind of information from the general public and security professionals exposes them to 
vulnerabilities in their physical security systems that criminals probably already know. In such 
situations, detailed disclosure of vulnerability issues may well be prudent and appropriate.[13] 


It is important to note that insurance companies typically will not honor a claim if there is no 
evidence of an intrusion. I am also aware of two incidents using wireless techniques to hijack 
expensive automobiles that were previously only known to the perpetrators. Keeping techniques 
like this secret only exposes the general public to unnecessary risk. 


12 


Journal of Physical Security 15(1), 1-13 (2022) 


References 


[1] Annamaria Sarbu, Dumitru Neagoie, “Wi-Fi Jamming Using Softwre Defined Radio”, Nicolas 
Balcescu Land Forces Academy, Sibinu, Romania. 


[2] 
GHz-ISM-Band fig 220973226 and Akash Baid, Sula Mathur, Dipankar Ravchaudhurt 
“Spectrum MRI: Towards diagnosis of multi-radio interference in the unlicensed band “ 


[3] ZigBee Technologies and Measurement Solutions, https://zhuanlan.zhihu.com/p/378697977 
[4] K Grover, A Lim, Q Yang, “Jamming and anti-jamming techniques in wireless networks: a 


survey”, International Journal of Ad Hoc and Ubiquitous Computing, Volume 17 Issue 4, December 
2014 pp 197-215, Published:01 December 2014 


[5] Murat Cakiroglu , Ahmet Turan Ozcerit , “Jamming Detection Mechanisms for Wireless Sensor 
Networks” 


[6] Opeyemi Osanaiye 1,*, Attahiru S. Alfa 1,2 ID and Gerhard P. Hancke, “A Statistical Approach to 
Detect Jamming Attacks in Wireless Sensor Networks”, Sensors 


[7] Pirayesh, Sangdeh, and Zeng, “Securing ZigBee Communications against Constant Jamming 
Attack Using Neural Network” 


[8] ZigBee and Wi-Fi Coexistence, https://www.metageek.com/training/resources/ZigBee-wifi- 


coexistence/ 
[9] Low-Cost ZigBee Selective Jamming, https://www.bastibl.net/reactive-ZigBee-jammin 


[10] whsniff, https://github.com/homewsn/whsniff 


[11] osmocom_siggen, https://manpages.debian.org/testing/gr-osmosdr 
osmocom siggen.1.en.html 


[12] Texas Instruments sniffer firmware: https://www.ti.com/tool/PACKET-SNIFFER 


[13] A MODEL FOR HOW TO DISCLOSE PHYSICAL SECURITY VULNERABILITIES, Roger G. 
Johnston, Ph.D., CPP, Journal of Physical Security 3(1), 17-35 (2009). 


13 


Journal of Physical Security 15(1), 14-20 (2022) 


ZigBee Deep Penetration 


John T. Jackson, Jr., MS 
Jackson Research 


www.jrmagnetics.com 


Abstract 


The hardware and software needed to “Deep Penetrate” or hack a Zigbee (IoT) physical security 
system is shown. This is not a step-by-step recipe nor a tutorial. I only list the equipment used to 
demonstrate the ease with which such a system can be breached and enable anyone to duplicate 
the results. My focus in this paper is on the primary vulnerability of a Zigbee physical security 
network. Details of how to set up various aspects of a Zigbee network are abundant on the 
Internet. There are some references to hacking Zigbee systems, but they make it sound 
mysterious. On the contrary, this is extremely simple to accomplish at minimal effort and 
expense. 


Introduction 


Zigbee wireless home physical security systems have become ubiquitous. The Zigbee Internet 
of Things (IoT) network, is often deployed to control an entire house, including lights, audio 
systems, and various other equipment. A physical security system is sometimes integrated into 
this network. Other times, a ZigBee network it is set up exclusively as a stand-alone physical 
security system. I have been testing Zigbee physical security peripherals as a home physical 
security system. The purpose is to find weaknesses and flaws in the system that allow 
unauthorized intrusion without setting off any alarms and without leaving any forensic evidence 
of a break in. This paper demonstrates that these Zigbee physical security systems are easily 
penetrated with minimal equipment. 


The ZigBee security system I work with is a wireless system with no cables, except the power 
cord to the Zigbee server or control panel. It shares the same RF frequency range with WiFi and 
Bluetooth devices. Details can be found on the Internet, which include the various possible 
network arrangements. 


Hardware 


I chose a Conbee IJ USB adapter, shown in figure 1, as the “coordinator” or network hub. It has 
exceptional range and reliability. Commercial brand-name Zigbee network hubs sometimes have 
unique features that favor that particular brand’s peripherals. In some cases, only peripherals of 
the same brand as the hub can be reliably connected. Furthermore, one brand of hub will 
frequently have their own software that aggravates the situation by not being compatible with 
any other applications or peripherals. The Nordic adapter could have been used, but it also 


14 


Journal of Physical Security 15(1), 14-20 (2022) 


includes Z-wave, which is not considered here, and is more expensive. Fortunately, the Conbee II 
allows most peripherals to connect to it and is accepted by open source applications, such as the 
popular Home Assistant, without specialized configurations. 


Fig 1 - Conbee II Zigbee Coordinator 


A TI cc2531 USB adapter could have been used as the coordinator, but it requires flashing with 
either coordinator or router firmware [1] to be useful. It is not “plug and play” out of the box. I 
wanted something I could just plug in and begin operations without going through a firmware 
flashing process to avoid any complications upon initial setup of the system. I could still do that 
with the adapters I have on hand, but I already have the Conbee II fully operational. 


Fig 2 - cc2531 Sniffer, Antenna, and Flash Cable 


Figure 2 shows a TI cc2531 USB adapter, which was chosen as the sniffer. It cannot be used out 
of the box as is. It must be flashed with specialized firmware [2] before it can be used to monitor 
Zigbee wireless traffic. At this time, there are no other real options. The former RZERAVEN 


15 


Journal of Physical Security 15(1), 14-20 (2022) 


adapter, for which the hacker application Killerbee was designed, is obsolete and no longer 
available. Killerbee firmware [3] for the cc2531 may not work here. So, if you are going to 
monitor RF traffic between the coordinator and connected peripherals, you will need to purchase 
acc2531 USB adapter and flash it with the appropriate firmware. 


Cae 


Fig 3 - cc2531 Debugger and Flasher 


The cc2531 sniffers I use all have SMA connectors so that I can attach specialized and 
directional antennas. The antenna shown in figure 2 is a simple dipole. The directional antenna I 
use, figure 4, has 14 db gain which allows communications at extended ranges. The hub and its 
peripherals all have indoor ranges of around 30 meters, depending upon wall construction and 
other obstacles that might shorten that range. My sniffer equipped with this directional antenna 
can sit far outside the communication range of the hub and its peripherals. This sniffer antenna 
combination is ideal for monitoring Zigbee communications from a comfortable distance. 


Fig 4 - Directional Antenna 


16 


Journal of Physical Security 15(1), 14-20 (2022) 


The Conbee II is plugged into a Raspberry Pi 4B+ running Home Assistant and the sniffers are 
plugged into a desktop running Kali Linux featuring a full suite of hacker tools. 


Software 


Home Assistant is not simple to operate for a beginner. There is a steep learning curve to get it 
up andrunning. People typically purchase off-the-shelf Zigbee control hubs with packaged 
software because they have no computer skills, and/or cannot or do not want to deal with 
minimal computer configurations. I chose it because it is free, open source, programmable, and 
easily tailored to specialized configurations. The peripherals I am using are all listed and 
configurable from a menu. It also runs Node Red that is a programmable user interface for a 
highly flexible custom dashboard. Home Assistant does require some computer programming 
skill in json and JavaScript to take full advantage of advanced application features. 


I wrote the Home Assistant operating system onto a 32 GB SD card and ran it in the Raspberry 
Pi 4B+. 


The principal sniffer software, whsniff, requires downloading software source code from 
Github [4] and compiling it. Wireshark [5] must be downloaded and installed to analyze the 
packets piped to it by whsniff. Wireshark comes preinstalled on Kali Linux. Minimal computer 
skills are required for this operation. You need to be able to handle command line operations 
from a terminal window. All of the instructions for this are online. 


I already operate a Kali Linux workstation. Wireshark was preinstalled. I had to download 
whsniff and compile it. The command line instructions to operate the configuration are given in 
the Github whsniffer instruction set. 


Whsniffer is not available on any version of Windows. Many of the wireless hacking tools are 
only available on Linux. Windows does not allow an attacker to implement most of the necessary 
professional hacking tools. 


Technique 


A long, detailed explanation of the Zigbee wireless protocol [6] is not necessary in order to 
recognize the ease with which the Zigbee system can be breached. Detailed Zigbee protocol 
specifications are available on the Internet. It is sufficient to say there are two levels of security 
with an encryption password at each level. The communications between the coordinator or hub 
are all encrypted. The first layer password or key is the same for all out of the box off the shelf 
coordinators, hubs, or control panels. It is used to create a second encryption password or key 
that is used for communications between the hub and the peripherals. All off-the-shelf 
coordinators use this same password. 


This first layer password, called the “Trust Center Link Key”, is: 
5A:69:67:42:65:65:41:6C:6C:69:61:6E:63:65:30:39. 


17 


Journal of Physical Security 15(1), 14-20 (2022) 


The second password, the Network Key, is transmitted in “plain text” when a new peripheral is 
“paired” to the network. This is the password we need to obtain by sniffing to hack the system. It 
is transmitted in “plain text” every time a peripheral is paired to the system, which happens every 
time you add a new device to the network. It must be paired to the network just like a Bluetooth 
device. Pairing is initiated on both the new peripheral and the hub at the same time. The hub 
transmits the “Network Key” to the peripheral in plain text only during the pairing process. The 
sniffer grabs the packet containing this key and pipes it to wireshark. After this operation is 
completed, all communications with the peripheral are encrypted and the Network Key is no 
longer observable. Put this Network Key, just obtained in plain text, into the preferences file of 
Wireshark, after which all packets from any device on the entire network can be decoded and 
observed in plain text. You now have complete control of the wireless IoT system. 


Results 


The Trust Center Link Key was first inserted into wireshark. Then, 
whsniff was piped into wireshark from the command line. A Xiaomi 
motion sensor, shown in figure 5, was then paired with the Home 
Assistant coordinator. This was done by first putting Home Assistant in 
pairing mode and then pushing the button on the motion sensor by 
inserting a paper clip wire into the small hole on its right side. The 
packets could clearly be seen scrolling down the windowpane in 


wireshark. 
; ; ; ; ; Fig 5 - Xiaomi 
This Network Key was inserted into the wireshark preferences just as Noton SeheaK 


the Trust Center Link Key was. The whsniff pipe into wireshark was 
restarted. Now, all packets could be seen in clear text. I took control of 
the entire Zigbee network. The decoded packets of every device 
connected to the network can be seen in plain text from this point onward. 


Figure 6 shows a screen capture of an expanded packet from the stream. Toward the bottom, 
you can see the label “Network Key” with the value immediately above it. This key decodes every 
packet in the stream. All information to and from any of the peripherals can be saved to a file in 
plain text for later evaluation. If whsniff piped to wireshark is left running, all activity is recorded 
with time stamps for every transaction. 


Using a second cc2531 adapter flashed with the Killerbee firmware, various attacks can be 
launched by injecting fake packets into the network. This is possible because you already have 
the Network Key. 


Discussion and Conclusion 


18 


Journal of Physical Security 15(1), 14-20 (2022) 


>» Frame 1: 49 bytes on wire (392 bits), 49 bytes captured (392 bits) on interface /dev/fd/63 
~ IEEE 802.15.4 Data, Dst: Broadcast, Src: 90x0000 
>» Frame Control Field: 0x8841, Frame Type: Data, PAN ID Compression, Destination Addressil 
Sequence Number: 0 
Destination PAN: Oxaf48 
Destination: Oxffff 
Source: 9x0000 
[Extended Source: dresden-_ff:ff:07:92:92 (00:21:2e:ff:ff:07:92:92)] 
[Origin: 1] 
FCS: Ox95fe (Correct) 
’ zie Network Layer Data, Dst: Broadcast, Src: 0x0000 
Frame Control Field: 0x0208, Frame Type: Data, Discover Route: Suppress, Security Data 
Destination: Oxfffd 
Source: 90x0000 
Radius: 10 
Sequence Number: 187 
~ ZigBee Security Header 
» Security Control Field: 0x28, Key Id: Network Key, Extended Nonce 
Frame Counter: 33780 
Extended Source: dresden-_ff:ff:07:92:92 (00:21: 2e:ff:ff:07:92:92) 
Key Sequence Number: 0 
Message Integrity Code: 3a11b9e3 
a i ataeiaae eC a 
[Key Label: Network Key] 
» ZigBee Application Support Layer Data, Group: Oxfffc, Src Endpt: 0 
» ZigBee Device Profile, Permit Join Request 


Fig 6 - Zigbee Packet showing Network Key in Wireshark 


There are other scenarios that can cause the pairing event to occur from which the Network Key 
may be captured. They are not considered here. It is sufficient to show the simplicity of the 
process and the hardware needed to capture it. This is not the only way a Zigbee network may be 
compromised, but certainly is one of the simplest. I succeeded on my first try. 


Zigbee physical security systems are definitely not secure. Minimal computer skills and 
hardware are needed to hack the system. If my desktop is replaced with a laptop, the entire 
sniffing system can be transported in a backpack. There are videos online that show how to 
couple a GPS to a Raspberry Pi in addition to the sniffer and obtain the hub coordinates by 
triangulation from a car as they drive around the neighborhood. 


Internet of Things (IoT) is predominantly a Zigbee wireless network. I can take complete 
control of a house in minutes from quite a distance if the house is wirelessly connected using 
Zigbee. In my view, no one should deploy a Zigbee physical security system for anything close to 
serious security. 


The technique discussed in this paper was available in bits and pieces across the Internet. 
Anyone taking enough time and effort can find this and implement it. Although military, 
intelligence agencies and criminals are likely well aware of this technique, the general public may 
not be. In such a situation, openly discussing details of the vulnerabilities is probably prudent.[7] 
It is worth noting that insurance companies typically will not honor a claim if there is no evidence 


19 


Journal of Physical Security 15(1), 14-20 (2022) 


of an intrusion. In my view, keeping techniques like this secret only exposes the general public to 
unnecessary risk. 


References 


[1] CC2531 firmware, https://github.com/Tropicao/zigbridge 
[2] packet sniffer firmware, https://www.ti.com/tool/PACKET-SNIFFER 


[3] Killerbee compatible ZigBee sniffer/injector firmware for TI CC2531 USB dongles, 
https: //github.com/virtualabs/cc2531-killerbee-fw 


[4] whsniff, https://github.com/homewsn/whsniff 
[5] wireshark, https://www.wireshark.org/ 
[6] Zigbee Alliance, https://csa-iot.org/ 


[7] A MODEL FOR HOW TO DISCLOSE PHYSICAL SECURITY VULNERABILITIES, Roger G. 
Johnston, Ph.D., CPP, Journal of Physical Security 3(1), 17-35 (2009). 


20 


Journal of Physical Security 15(1), 21-29 (2022) 


Parallel GPU Password Crack Times 


John T. Jackson, Jr., MS 
Jackson Research 


www.jrmagnetics.com 


Abstract 


Real cracking of passwords is demonstrated with tables of time needed to crack them based 
upon actual hardware/software performance. This is not an exercise in mathematical theoretical 
computation. There are some online calculators that provide theoretical iterations needed to 
crack passwords, but never reference any actual performance results. I could never get a straight 
answer on how long it might take to crack a password, so I used a massively parallel GPU 
computing engine built for mining crypto to find passwords instead. I have provided tables 
showing maximum crack times based upon my computing engine’s actual performance and 
describe the hardware. You should be able to judge how secure your passwords are from these 
real life data benchmarks. 


Introduction 


“Penetration Testing” (aka “PenTesting”) physical security systems led me to wireless security 
systems, often an integral part of the wired physical security systems. The deeper I got into it, the 
more necessary it became to crack passwords as part of the procedure. I had always wondered 
just how secure my passwords are, but could never get a straight answer from the engineers 
designing the key entry systems, or any of the code breakers. They all pointed me to number 
theory and cryptanalysis. My question is, “How does that help me in real life?” Now I have 
studied those subjects and have some skill with number theory. Theory alone provides no clues 
to solving a real life situation. For that, we need physical hardware and software. In this paper, I 
will give you a feel for the hardware and software involved (and its performance) so that you can 
make educated judgments about the level of security you think you actually need and how to 
achieve it. 


The computing engine 


The motherboard I used is a Giga-Byte GA-kKH110-D3A miner with two power supplies 
providing up to 1 KW of power each. The video cards are Radeon Vega 56. This rig is my own 
design and construction. It is used for crypto mining when not cracking passwords. It can be run 
“stand alone” or connected in clusters with other mining rigs as needed. There is actually no limit 
to the number of mining rigs except cost. They are expensive and consume copious power. 


21 


Journal of Physical Security 15(1), 21-29 (2022) 


Also, consider that the hardware (computing engine) itself may not be enough. Refrigeration 
may be required. I know people who have 10 or more rigs mining crypto and refrigeration is 
definitely a problem. I am presently using one to heat my house during the cold weather. 


The GPU engine is not used to capture the data needed for password cracking. That process is 
accomplished on a Linux “Pentest” machine utilizing other specialized tools. The captured data is 
processed for analysis by data conversion utilities and ported to the GPU engine for cracking. 
That brings us to the required software. 


AAW 


) 
Fig 1 - GPU computing engine. 


Software 


Iam running Kali Linux on a desktop in the lab. It could just as easily be a laptop for field 
operation. The tool on this machine is Wifite. A WiFi adapter is required on either the laptop or 
desktop that can be operated in “monitor mode”. Since the GPU engine is not portable, the data is 
captured on one machine and ported to the GPU engine in the lab. 


Wifite is a tool to audit WEP or WPA encrypted wireless networks. It uses aircrack-ng, pyrit, 
reaver, tshark tools to perform the audit. The Wifite tool is customizable to be automated with 


22 


Journal of Physical Security 15(1), 21-29 (2022) 


only a few arguments, and can be trusted to run without supervision. Wifite is designed to use all 
known methods for retrieving the password of a wireless access point (router).[1] 


These methods include: 
1. WPS: The Offline Pixie-Dust attack 


. WPS: The Online Rute-Force PIN attack 

. WPA: The WPA Handshake Capture + offline crack 

. WPA: The PMKID Hash Capture + offline crack. 

. WEP: Various known attacks against WEP, including fragmentation, chop-chop, aireplay, 
etc. 


ma & WwW NM 


I do not, however, use Wifite for decryption. Another highly specialized program, Hashcat, is 
used on the GPU engine, because it is tailored for massively parallel GPU operation.[2] 


Core attack modes (from the Hashcat Wiki page) 

* Dictionary Attack - trying all words in a list; also called “straight” mode (attack mode 0, -a 0) 

* Combinator Attack - concatenating words from multiple word lists (mode 1) 

* Brute-force Attack and Mask Attack - trying all characters from given character sets, per 
position (mode 3) 

* Hybrid Attack - combining word lists+masks (mode 6) and masks+word lists (mode 7); can 
also be done with rules 

* Association Attack - use an username, a filename, a hint, or any other pieces of information 
which could have had an influence in the password generation to attack one specific hash 


Procedure 


David Bombal has an excellent video detailing how he set up his laptop and employ its single 
GPU to crack a TP-Link router password in 7 minutes.[3] Both Wifite and Hashcat had been 
installed on his laptop. He gives a step-by-step live presentation of a WPA Handshake Capture 
with an offline crack using “Hashcat”. 


The following is a variation of his procedure for cracking a router password on my GPU engine: 
$ sudo wifite -wpa -kill 


1. From the command line prompt “Ctrl+C when ready” enter “*C. 

2. Select the WiFi target from the ESSID column and enter the corresponding “NUM” after the 
prompt “all:”. 

3. Enter “c” at each prompt until the until the prompt for the “WPA Hanshake capture:” 


appears, usually the very last option showing “1 attack(s) remain”, type “c” and allow the 
capture attack to proceed. 


Change to the directory where the “handshake_**************** can file is located. 


23 


Journal of Physical Security 15(1), 21-29 (2022) 


From there enter the command: 
$/usr/share/hashcat-utils/cap2hccapx.bin handshake_**************** can wpa2.hccapx 


Copy the file “wpa2.hccapx” into the hashcat directory on the GPU engine. 


From that directory, enter the command for the TP-Link password as shown in the video: 
> hashcat.exe -m 2500 -a 3 wpa2.hccapx ?d?d?d?d?d?d?d?d 


The maximum time to find a solution on his system was 9 mins 19 secs. The actual time taken 
was 6 mins 55 sec. On my GPU engine, the time to solve was 2 sec. 


Analysis 


Each table below shows the maximum time to crack based upon a specific character set and 
word length. 


Hashcat built-in character sets: 


?1 = abcdefghijklmnopqrstuvwxyz 

* ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ 

* ?d = 0123456789 

* 2h = 0123456789 abcdef 

° ?H = 0123456789ABCDEF 

* 2s = «spacew!"#$%&'()*+,-./3<=>?@[\]4_{]}~ 
° 2a =?1?u?d?s 

* ?b = 0x00 - Oxff 


Example for Table 1, row 1: $ hashcat.exe -m 2500 -a 3 wpa2.hccapx ?d?d?d?d?d?d?d?d 
Table 1: Digit characters 


Character set = # Maximum time to solve 
2?d?d?d?d?d?d?d?d 8 2 sec 
2?d?d?d?d?d?d?d?d?d 9 8 min 46 sec 
2d?d?d?d?d?d?d?d?d?d 10 1 hr 36 min 
2?d?d?d?d?d?d?d?d?d?d?d 11 15 hr 54 min 
2?d?d?d?d?d?d?d?d?d?d?d?d 12 6 days 14 hr 
2d?d?d?d?d?d?d?d?d?d?d?d?d 13 66 days 15 hr 
2d?d?d?d?d?d?d?d?d?d?d?d?d?d 14 1 yr 302 days 


24 


Journal of Physical Security 15(1), 21-29 (202 


Table 2: Lower case alphabetic characters 


Character set = i Maximum time to solve 
2171712171?17171 8 1 day 9 hr 
217121217121217171 9 36 days 1 hr 
21212121212171717171 10 2 yrs 213 days 
21212121712171217171?1 11 66 yrs 269 days 


Example for Table 3, row 4: $ hashcat.exe -m 2500 -a 3 wpa2.hccapx ?u?u?u?u?u?u?u?u?uU?u?u 


Table 3: Upper case alphabetic characters 


Character set = # Maximum time to solve 
2u?u?u?u?u?u?u?u 8 1 day 9 hr 
?u?u?u?u?u?u?u?u?u 9 36 days 1 hr 
2u?u?u?u?u?u?u?u?u?u 10 2 yrs 213 days 
2u?u?u?u?u?u?u?u?u?u?u 11 66 yrs 269 days 


2) 


Example for Table 4, row 3: $ hashcat.exe -m 2500 -a 3 wpa2.hccapx -1 ?d?] ?1?1?1?7171?17171? 


171 


Table 4: Digital and Lower case alphabetic characters 


Character set = # Maximum time to solve 
-1 2d?1 212127171271717171 8 10 days 20 hr 

-1 2?d?] 2121271717171717171 9 1 yr 30 days 

-1 2d?1 212121717171712717171 10 66 yrs 55 days 


25 


Journal of Physical Security 15(1), 21-29 (2022) 


Example for Table 5, row 2: $ hashcat.exe -m 2500 -a 3 wpa2.hccapx -1 ?d?u ?1?171?7171?171? 
171 


Table 5: Digital and Upper case alphabetic characters 


Character set = # Maximum time to solve 
-1 ?d?u ?17121?7171717171 8 10 days 20 hr 

-1 2?d?u 2171?71717171717171 9 1 yr 30 days 

-1 2?d?u 212127171717171717171 10 66 yrs 55 days 


Example for Table 6, row 1: $ hashcat.exe -m 2500 -a 3 wpa2.hccapx -1 71?u ?1?1?71?171?717171 


Table 6: Lower and Upper case alphabetic characters 


Character set = Maximum time to solve 


-1 21?u 2171217171717171 8 4 yrs 


Example for Table 7, row 1: $ hashcat.exe -m 2500 -a 3 wpa2.hccapx ?a?a?a?a?a?a?a?a 


Table 7: Hashcat built-in character set “a” 


Character set = Maximum time to solve 


?a?a?a?a?a?a?a?a 8 120 yrs 321 days 


Entropy as a measure of password strength 


The computer industry often specifies password strength in terms of information entropy, 
which is measured in bits. Instead of the number of guesses needed to find the password with 
certainty, the base-2 logarithm of that number is given, which is commonly referred to as the 
number of "entropy bits" in a password, although this is not exactly the same quantity as 
information entropy. A password with an entropy of 42 bits calculated in this way would be as 
strong as a string of 42 bits chosen randomly, for example by a fair coin toss. In other words, a 


password with an entropy of 42 bits would require a (4,398,046,511,104) attempts to exhaust 
all possibilities during a brute force attack. Increasing the entropy of the password by one bit. 
doubles the number of guesses required. On average, an attacker will have to try half the possible 
number of passwords before finding the correct one. 


26 


Journal of Physical Security 15(1), 21-29 (2022) 


hashcat 
Running 
Hash.Name WPA—-EAPOL—PBKDF2 
Hash.Target.... Fringe CAP:46:4e:36:5e:a3:42 STA-:dc:a6:32:bb:3c:a4> 
Time .Started Sun Feb @6 11:11:36 2022 (11 secs) 
Time .Estimated...: Fri Jan 36 65:62:57 26026 (3 years. 357 days> 
Kernel.Feature...: Pure Kernel 
7171717171717171 [8] 
-1 ?d?1?u. -2 Undefined, —-3 Undefined, -—4 Undefined 
1/1 (166.66%> 
352.@ kH/s ¢9.@2ms> @ Accel:32 Loops:128 Thr:64 Vec:1 
357.9 kH/s ¢8.86ms> @ Accel:32 Loops:128 Thr:64 Vec:1 
341.5 kH/s ¢9.34ms) @ Accel:32 Loops:128 Thr:64 Vec:1 
351.9 kH/s ¢9.@2ms) @ Accel:32 Loops:128 Thr:64 Vec:1 
335.1 kH/s ¢9.55ms)> @ Accel:32 Loops:128 Thr:64 Vec:1 
1738.3 kH/s 
4/1 (@.80%> Digests 
Progress 18235392/218346165584896 <8.68%> 
Re jected 6/18235392 (6.68%> 
Restore .Point 6/3521614666268 ¢(6.80~> 
Restore .Sub.#1...: Salt:@ Amplifier:32-33 Iteration:-3672-32668 
Restore .Sub.#2...: Salt:@ Amplifier:33-34 Iteration:1286-1468 
Restore .Sub.#3...: Salt:@ Amplifier:31-32 Iteration:3456-3584 
Restore .Sub.#4...: Salt:@ Amplifier:32-33 Iteration:3456-3584 
Salt :@ Amplifier:31-32 Iteration:1624-1152 
Device Generator 
Marierin —> MCK?9?9606 
ZzBh88888 -—> zU8ZY123 
6zLhanan —> 6w?inane 
Candidates .#4 MSfZANAN —> Mod@2312 
Candidates .#5 6d6inane —> 6@aUERIN 
Hardware .Mon.#1..: Util: 91% Core:1367MHz 86QMHz 
Hardware .Mon.#2..: Util: 83% Core:1461MHz 866MHz 
Hardware .Mon.#3..: Util: 96% Core:1322MHz2 86@MHz 
Hardware .Mon.#4..: Util: 97% Core:1369MHz2 866MHz 
Hardware .Mon.#5..: Util: 93% Core:1295MHz2 86@MHz 


tt 
= = 


Ounnnn 


fro ah fk fk fk 
HANAN 


Fig 2 - Screen capture of Hashcat running on GPU engine shown in figure 1 for Table 6. 


Random passwords 


Random passwords consist of a string of symbols of specified length taken from some set of 
symbols using a random selection process in which each symbol is equally likely to be selected. 
The usual set of symbols is contained in Hashcat. 


It is not a simple task to choose cryptographically secure random passwords and passphrases 
[4] that an adversary has a very low probability of guessing or determining. Passwords can easily 
fail if pseudo-random data is used that meets only traditional statistical tests for randomness, or 
that is based on limited-range sources such as clocks. Sometimes such pseudo-random quantities 
can be guessed by an adversary searching through an embarrassingly small space of possibilities. 


Exercise caution when selecting cryptographically secure random password generators! Never 
use online password generators or download unknown password generator software. Many 
firmware programmers write their own encryption algorithms for wireless products that are 
easily breached by professionals. Inexpensive routers are just one example. Encryption and 
password generation is a complicated science. 


27 


Journal of Physical Security 15(1), 21-29 (2022) 


Mask Attack 


The reason for a Mask Attack, rather than using the traditional Brute-Force Attack, is to reduce 
the password candidate keyspace to a more efficient one. 


As an example, consider cracking the password: Georg1984 


In a traditional Brute-Force attack we require a character set that contains all upper-case 
letters, all lower-case letters, and all digits (aka “alpha-numeric”). The Password length is 9, so 
we have to iterate through 62%9 (13.537.086.546.263.552) combinations. Presume the crack rate 
to be 100M/s, which may take more than 4 years to complete. [5] 


However in a Mask attack, humans tend to design passwords that are convenient to remember. 
The above password matches a simple but common pattern: a name and year appended to it. The 
attack can be configured to try the upper-case letters only on the first position. It is very 
uncommon to see an upper-case letter only in the second or the third position. With a Mask 
Attack, the keyspace can be reduced to 52*26*26*26*26*10*10*10*10 (237.627.520.000) 
combinations. With the same cracking rate of 100M/s, password discovery requires less than 40 
minutes to complete.[1] 


My GPU rack is 40 times faster than the rate referenced by the authors at the Hashcat group. [1] 
Therefore, my equipment would crack the same password in under 1 minute. 


Discussion 


The above tables show maximum times for my GPU computing engine to solve for a password, 
given a fixed length and character set. Similar systems will provide similar results, depending 
upon the video cards used. In practice, actual times to find a solution on average will be roughly 
half of those figures. The underlying assumption is these passwords have all been created by a 
“Password Generator” and are random. There are other more effective means to crack passwords 
consisting of convenient to remember words and phrases, such as word lists. 


If multiple GPU engines are operated in parallel, the times to crack a password will be 
correspondingly reduced. If ten GPU engines identical to mine are used, the times listed in the 
tables would be reduced by a factor of ten. This increases the cost of equipment and operation. It 
is easy to see that the cost of cracking a password goes up dramatically with the complexity of the 
password. The question immediately arises as to what is it worth to an adversary to obtain a 
specific password. 


Most people use easy to remember passwords. The first approach in an attack is to employ 
word lists. These can often yield results in very short order. Reconnaissance related to the target 
or, in the case of an individual, background information on that individual can yield guesses with 
high probability of cracking in very short times. Most people use names and dates for passwords, 
which are simple to crack, if personal things are known about that individual. There are special 
programs and word lists of most common passwords that you might have noticed as options in 

28 


Journal of Physical Security 15(1), 21-29 (2022) 


Wifite created for this purpose. There are also masks that can be employed of most common 
styles and password constructs for shortening cracking time discussed in references to “Hashcat”. 


Another means to impede password crackers is to change passwords (not rotate them) ona 
regular basis. This is the longest time a cracker will have to break you code, which also defines 
the hardware needed. 

The question you must ask yourself is, “How important is the data I am protecting?” 

To prevent your passwords from being hacked by social engineering, brute force, or dictionary 
attack methods, and to keep your online accounts safe, you should observe the following 


guidelines: 


1. Do not use the same password, or security question and answer for multiple important 


accounts. 

2. Usea password that has at least 16 characters, use at least one number, one uppercase 
letter, one lowercase letter and one special symbol. 

3. Do not use the names of your families, friends, or pets in your passwords. 

4. Do not use postcodes, house numbers, phone numbers, birthdates, ID card numbers, social 


security numbers, etc. in your passwords. 


The particular technique discussed in this paper is already in the public domain. However, the 
full extent of the hazard was not explained in the Bombal video [3]. This is a well-known 
technique used by military, intelligence agencies, the FBI, and police. 


It is important to keep in mind that insurance companies typically will not honor a claim, if 
there is no evidence of an intrusion. The user who creates his own password is culpable and 
should be aware of the strength of that password. Keeping the full extent of techniques like this 
secret only exposes the general public to unnecessary risk.[6] 


References 


[5] https://en.wikipedia.org/wiki/Password strength 
[6] “A MODEL FOR HOW TO DISCLOSE PHYSICAL SECURITY VULNERABILITIES,” Roger G. 
Johnston, Ph.D., CPP, Journal of Physical Security 3(1), 17-35 (2009). 


Journal of Physical Security 15(1), 30-47 (2022) 


Body-Worn Cameras and the Cloud: The Costs of Getting it Wrong 


Brian Kelly, Ed.D. 
Farmingdale State College 
Farmingdale, New York 


Introduction 

Since 2014, many police agencies in the United States have adopted the idea of utilizing 
and mandating police-worn body cameras within their public safety organizations. The 
impetus was the need to improve law enforcement technology within the overarching 
framework of agencies desiring to reduce organizational liability, and to increase officer 
accountability. Police departments may have also viewed this as a steadfast for 


indemnifying themselves from future lawsuits, and to weed out bad hires. 


In their narrative review of empirical body-worn camera (BWC) research, Lum, et al. 
(2019) suggested that BWCs have not had consistent effects on the behaviors of officers or 
citizens—for either better or worse—and that both citizens and the police seem to believe 
that BWCs might be able to protect each from the other. Others researchers, however, have 
been more optimistic in their assessments (see, e.g., Gaub & White, 2020; Malm, 2019; 


Maskaly et al., 2017). 


Conversely, evidence obtained using this technology, if stored and secured, serve as pre- 
trial barriers to limit attempts at litigation driven by individuals who make false claims 
against officers, seeking a financial payout. Police departments that are burdened by 
officers themselves partaking in misconduct of any form may be able to indemnify their 
agencies by simply using the video footage to charge their own members, potentially 


avoiding high legal costs brought on by improper actions by their officers. 


30 


Journal of Physical Security 15(1), 30-47 (2022) 


In the United States, the continuing rapid adoption of BWCs, which actually started in the 
2010s, provides some clues as to what both police and citizens expect cameras to 
accomplish. The push for BWC adoption has been propelled by highly-publicized, videoed 
events involving (often) White police officers killing (often) unarmed Black individuals. 
(See, for example, general discussions by Braga, Sousa, Coldren, & Rodriguez, 2018; Lum, 
Stoltz, Koper, & Scherer, 2019; Maskaly, Donner, Jennings, Ariel, & Sutherland, 2017; 
Nowacki & Willits, 2018; White, 2014). 


The first significant event of this era did not actually involve a police officer or a BWC, but 
an armed individual who, posing as a neighborhood watchman, killed an unarmed Black 
youth—Travon Martin—in 2012. Following the Martin killing was the shooting of Michael 
Brown in 2014 by a Ferguson, Missouri police officer, and then the death of Freddie Gray 
while in police custody in Baltimore City, Maryland, in 2015. These and many other seminal 
events made national headlines as they were captured on citizens’ cell phone cameras. 
These events sparked significant protest and reform efforts, most notably Black Lives 
Matter, that called for substantial changes, greater accountability, and greater transparency 
on the part of the police, especially to their misconduct, use of force, and in some cases, 
crimes. During this time, other policing tactics also were heavily scrutinized and 
challenged in court, especially the widespread use of stop-question-and-frisk. (See, 


e.g., Floyd et al. vs. New York City et al, 08 Civ. 1034 [SAS]). 


These and other long-brewing concerns about police tactics, accountability, and use of 
force, led to a significant review of policing undertaken by President Obama's Task Force on 
21st Century Policing (2015). The Task Force considered BWCs as one possible option to 
reduce police use of force, and improve police accountability and transparency in the eyes 
of the public. Public concerns and protests created the political will to call for the adoption 
of BWCs. This demand was matched with a prepared supplier; technology companies had 
already developed both BWCs and other similar surveillance devices (e.g., in-car cameras, 


license plate readers, and closed-circuit televisions). 


31 


Journal of Physical Security 15(1), 30-47 (2022) 


BWC-oriented Financial Challenges 

This politically-driven demand may have also propelled yet another relevant challenge 
for police agencies. As, however, with many well-intentioned implementations, financial 
hurdles for police departments arose in the areas of procuring and using body-cameras, 
requiring BWC acquisition to need further study. Whereas the purchase price of individual 


cameras may not 


always present a huge budgetary problem, the costs for field use and maintenance, as well 


as cloud storage and security (perhaps provided by third parties) can be substantial. 


Budgetary parameters may be far from the only concern for police departments 
regarding BWC and evidence storage. Pervasive data collection, whether by government 
agencies, advertisers, or retailers, is already a reality for most Americans. And body camera 
adoption by the police will likely only be a precursor to other public officials (e.g., teachers) 


and private actors (e.g., insurance adjustors) following suit (Maciag, 2015; Mims, 2015). 


On April 5, 2017, Axon (formerly known as Taser), the largest vendor of BWCs in the 
United States, announced it would provide free body cameras to all American law 
enforcement agencies, plus a year’s worth of access to their cloud storage service at 
Evidence.com. Although the offer has the potential to provide significant savings for 
departments, the move has also raised concerns. Some departments are hesitant because it 
would mean the company would have access to all their BWC footage. Some law 
enforcement officials called it a “PR stunt,’ though Axon denied those allegations (Farivar, 


2017). 


According to some estimates, storage of BWC-generated data may be the single largest 


expense in implementing a BWC program. Data storage costs depend upon how many videos 


32 


Journal of Physical Security 15(1), 30-47 (2022) 


are recorded, how long recordings are retained, how the videos are stored (on in-house 
servers or online), and the level of encryption used to keep the data secure, all of which vary 


from agency to agency (Al-Jazeera, 2016). 


Data recovered from body-worn camera serves as evidence. This evidence may often 
come at a financial cost which may be perceived as unforgiving. Indeed, data storage costs 
are sometimes cited as a reason why police departments may be reluctant to adopt body 
cameras at all (Ryan 2016). The amount of data created is often beyond the capacity of 
most local police departments to store themselves. Private companies offer data storage 
services—sometimes the very same companies that supply the body cameras. This third- 
party storage is costly—in fact, often the most expensive part of police body camera 
programs. Profit margins are much higher for video storage than they are for the cameras 


themselves (Merian, 2015). 


Data storage costs may thus be one of the factors that most strongly influences decisions 
about which kinds of incidents officers will record in the first place (Joh, 2016). Another 
factor affecting what gets recorded may be a police department’s policies. A separate 
consideration is how long the data should be stored. Here, there may be tension between 
the values of privacy and accountability. The few states that have addressed body camera 
video storage limits have generally erred on the side of limiting video storage unless it is 


involved in a criminal investigation (Urban Institute, 2016). 


Shorter storage times means that there is less data—of innocent people as well as 
suspects—available for inspection and analysis. On the other hand, longer data storage 
periods may enhance public accountability if it means that the public-citizens, journalists, 
and researchers can view video that can shed light on individual cases as well as general 
policing practices (Joh, 2016). Nonetheless, there are significant data storage costs for 


whatever storage duration a police department chooses. 


33 


Journal of Physical Security 15(1), 30-47 (2022) 


Consider the following projections from a 2012 report by CSC: (1) By 2020, over one- 
third of all data will live in or pass through the cloud; (2) In 2020, data production is 
estimated to be 44 times greater than it was in 2009; (3) Experts estimate a 4,300% 
increase in annual data generation by 2020; and (4) While individuals are responsible for 
most data creation (70%), a full 80% of all data is stored by enterprises. Police agencies are 
no different as it applies to BWC programs. The amount of data which could be generated, 
alongside the already costly factors stemming from huge increases in data generated by 


ANPR, CCTV, and phones (Marx, 2012) represent a serious financial burden. 


Now data is property. Property needs to be well protected, especially if its controlled and 
monitored by people. Privacy concerns are associated with the storage of BWC footage, and 
the subsequent vulnerability of stored video to hacking attempts, especially if the 
department uses cloud-based storage (Vibes, 2017). Thus the “data fate” (Marx 2012) of the 
information produced by body cameras by the police will influence the use of this 


technology well beyond immediate policing. 


Conceptual Framework 

Police body camera evidence may remain on file for indefinite periods of time. The 
longer evidence is stored by police agencies, the greater the cost to both store it and secure 
it from unauthorized access. With the requirement for good security, there is a need for 
research relevant to third-party service providers who claim to specialize in the highest 
quality of body cameras performance, storage, and security. In many cases, police 
departments may opt for the most highly protected version of cloud security storage money 
can buy, in order to procure their valuable evidence. Although the cameras themselves are 
relatively inexpensive, storage is costing some police departments in the millions. For 
example, costs can be up to $2.6 million for storage and the extra staff needed to manage 
the video data, while other departments are paying from $20 to $100 per month per police 
officer for data storage and management plans (Police Executive Research Forum’s report 


(2014). 


34 


Journal of Physical Security 15(1), 30-47 (2022) 


Conversely, in their comprehensive narrative review of BWCs, Lum, et al. (2019) 
discovered approximately 70 published or publicly available studies of BWCs that 
contained over 110 sub-studies examining various outcomes and aspects of BWCs through 
June 2018. Lum, et al.'s review was not a meta-analysis and did not synthesize effects 
across studies. They also looked at a wider range of studies, subjects, methodologies, and 
outcomes to examine the state of research on BWCs. In particular, they grouped studies 
into six topical categories: (a) the impact of BWCs on officer behavior; (b) officer attitudes 
about BWCs; (c) the impact of BWCs on citizen behavior; (d) citizen and community 
attitudes about BWCs; (e) the impact of BWCs on criminal investigations; and (f) the impact 


of BWCs on law enforcement organizations. 


Lum, et al. (2019) concluded that although it seemed that many agencies, officers, and 
citizens support BWCs, cameras have not consistently had the effects anticipated (or 
feared) by either police officers or citizens. They argued that anticipated effects may have 
been “overestimated” (p. 110) and that behavioral changes in the field may be “modest and 
mixed” (p. 111). Lum, et al. (2019) also observed that while several studies suggested that 
BWCs could reduce citizen complaints against police, it remained unclear why the decline 


occurs. 


This paper examines financial and security-oriented variables attributed to this specific 
genre of law enforcement technology (BWC) acquisition. In particular, I look at the ancillary 
costs attributed to such components, coupled with the unpredictable costs of poor decision- 
making by police departments about cloud storage of body-camera footage. Furthermore, 
in order to formulate a foundation to conduct this specific examination, I closely examine a 
2017 study, conducted by the Leadership Conference on Civil and Human Rights (LCCHR), 
entitled, “Updated Scorecard and New Report Examine Local Police Body Camera Programs 
and Process.” This 2017 study evaluated the civil rights safeguards of police body-worn 


camera programs in 75 different police agencies within specific U.S. cities (Leadership 


35 


Journal of Physical Security 15(1), 30-47 (2022) 


Conference and Upturn, 2017). In this paper, I will demonstrate how civil rights safeguards 
may not always meet the needs of all stakeholders. I will further evaluate the concepts of 
BWC data, BWC data storage and security, coupled with BWC financial sustainability based 


on technological implementation of police agencies. 


When comparing the 2017 LCCHR study to Lum’s grouped study, the concept of BWC 
cloud security and fiscal responsibility of body-worn camera utilization within police 
departments warrants further study. An examination of the civil rights safeguards of police 
body-worn camera programs, as identified by the 2017 LCCHR study, reveals 8 areas which 
could impact BWC programs in police departments. The 8 categories explored in the 2017 
study were: (1) Policy Available, (2) Officer Discretion, (3) Personal Privacy, (4) Officer 
Review, (5) Footage Retention, (6) Footage Misuse, (7) Footage Access, and (8) Biometric 


Use (Leadership Conference and Upturn, 2017). 


The 2017 LCCHR study may indicate legal ramifications for civil right violations, if in fact 
specific safeguards of police body-worn camera programs are not enacted. Those legal 
ramifications could create financial and security-oriented woes, spearheaded through 
incidents captured on the body-worn camera technology and stored within the cloud. 
Within the 8 categories documented in the 2017 LCCHR study, I have identified 4 categories 
of substantial financial or security concern. These categories are: (1) Policy Available, (2) 


Footage Misuse, (3) Footage Retention, and (4) Footage Access. 


Important Factors 

The 2017 LCCHR study sampled 75 police agencies. First, it was determined whether 
these departments possessed a BWC policy. Based on the existence of a BWC policy, I feel 
that I am able to determine whether the BWC programs with written policies were 


responsive to financial limitations and security concerns. 


36 


Journal of Physical Security 15(1), 30-47 (2022) 


To fully grasp how the 2017 LCCHR study interprets a BWC policy, Vanita Gupta, 
president and CEO of The Leadership Conference (2017) stated, “As more police 
departments utilize body-worn cameras, they must not be taken as the last word for police 
accountability. Our scorecard shows that many police departments are failing to adopt 
adequate safeguards for ensuring that constitutional rights are protected, and our report 
shows that unrestricted footage review places civil rights and liberties at risk and 
undermines the goals of transparency and accountability. Without carefully crafted policy 
safeguards in place, there is a real risk that body-worn cameras could be used in ways that 
threaten civil and constitutional rights and intensify the disproportionate surveillance of 


communities of color.” (Leadership Conference on Civil and Human Rights, 2017). 


Civil rights groups, such as the Leadership Conference on Civil and Human Rights 
(LCCHR), when presenting their ‘scorecard’ of sorts, appear to be dismissive of additional 
problems with BWC policy. Some portions of these policies may be far more detrimental to 
defendants or complainants than the mere opportunity to claim a civil rights violation. This 


is explained below. 


A. Policy Available (Financially Beneficial) 

A police agency that possesses a BWC policy may demonstrate to the public and the 
courts more transparency, a stricter adherence to lawfulness, and a perceived level of 
seriousness regarding future legality, than an agency which has no BWC policy. There may 
also be less liability with accompanying financial benefits. Despite the fact that 
approximately 51 agencies from the 2017 study allowed their identity and BWC policy to be 
made available, no clear correlation other than the constitutional right to possess 


knowledge of a policy within a police department was found. 


B. Footage Misuse (Security-oriented Concern) 
Footage Misuse involves the police misuse of BWC, purposely, negligently, and/or 


recklessly, at times, though not necessarily in totality. Misuse could present security 


37 


Journal of Physical Security 15(1), 30-47 (2022) 


concerns within the department. The public or a court may perceive footage misuse by 
officers as an example of a data breach. If misuse is common by officers who use BWC, 
these actions exceed any in-house security concern. Misuse in any way could cost agencies 
an exorbitant amount in legal fees, and/or mandated cloud storage improvements to 
prevent further misuse. The 2017 study showed that 38 of the 75 agencies included policy 
language for Footage Misuse, yet does not exhibit evidence of root causes or results of the 
misuse. This addition could assist agencies regarding future liabilities, just as the BWC 
themselves are supposed to do. Widespread misuse could easily be more concerning for 


police departments than a civil right violation. 


C. Footage Retention (Financially Beneficial & Security-oriented Concern) 

Footage Retention policies exist for only 14 police agencies in the 2017 LCCHR study. 
This study recognizes Footage Retention as a legal obligation to preserve evidence in the 
cloud. Nonetheless, the longer any data is retained in cloud storage, the higher the 
probability that a data breach could occur. Moreover, the longer any data is retained on a 


cloud, under control and monitoring by a third-party vendor, the more costly it becomes. 


D. Footage Access (Security-oriented Concern) 

In the 2017 LCCHR study, policy language pursuant to Footage Access, alongside the 
concept of Misuse, was documented as only a civil rights concern. The 2017 study 
interpretation, in my view, focuses on data-access issues from a defendant’s viewpoint, 
including but not limited to a defense attorney’s access to BWC video footage for court 
purposes. This should not be a concern at all because it could be deemed discoverable in a 
court of law. I believe that Footage Access, in particular, is a dominant security concern, 
given that only 7 agencies allow for enforcement of unauthorized access to classified data in 
their written policy. Access may have benefits for security. Transparency should be 
exhibited when and if those who have access are disguised through encryption. Confusion 


must be avoided as to whether footage was accessed internally or externally. Exactly who 


38 


Journal of Physical Security 15(1), 30-47 (2022) 


accessed the information must be clear. All of these capabilities represent significant 


security and implementation issues (Urban Institute, 2016). 


Data-Storage Options and Case Examples 
The Police Executive Research Forum’s report (2014) offers recommendations regarding 
data storage policies for BWCs, including: 
¢ Consulting with prosecutors and legal advisors to ensure that storage policies are 
compliant with all relevant record retention laws; 
e Prohibiting personnel from tampering with, editing, or copying data (except for 
redacting video as required by law); 
e Providing safeguards against altering the data prior to downloading; 
e Creating an auditing system to record who accesses BWC-generated data and when; 
e Stating who will be approved to access data and for what purpose; 
e Ensuring that there is a reliable back-up system for redundancy; 
e Specifying when videos will be downloaded from the camera to the storage system 
and who will download them; 


e Considering third-party vendors cautiously. 


In Fort Worth, Texas, the police department has purchased over 600 cameras and 64 
terabytes of data storage for a year. This is “an amount equivalent to at least three times the 
contents of the 20 million books in the Library of Congress” (Johnson, 2014, para. 16.) Law 
enforcement agencies have to be willing use new and innovative technology to show 
communities that departments are forthcoming in their dealings with the public (Eckard, 
2016). Asa separate issue, could the amount of data storage also increase a risk of being 
penetrated? Some agencies may be willing to take that risk. The police department of 
Oakland, California alone, for example, creates 7 terabytes of data every month (Oakland 


North, 2016). 


39 


Journal of Physical Security 15(1), 30-47 (2022) 


In 2019, officers at the Los Angeles Police Department (LAPD) were victims of a data 
breach that exposed the personal information of about 2,500 officers and 17,500 officer 
applicants. The exposed information included names, date of birth, employee serial 
numbers, and email addresses. Although it wasn't BWC footage that was part of this 
breach, the LAPD was forced to opt for cloud security, in the aftermath. For the LAPD, it 
seems that the system cost over $400,000 to house the BWC storage. BWC storage breeds 
additional intricacies. According to Palantir’s website, the company offers a video analytics 
feature that allows “user to tag individuals and events within video data and associate those 


tags with information from other data sources” (Reichert, 2019.) 


Are clouds even the best way to store governmental evidence? What are the other 
options for this data storage, based on retention periods needed, and the amount of data 
actually acquired? By one estimate, some large police departments are producing more 
than 10,000 hours of video data a week (Sanburn 2016). Feasible options need to be 
researched. Simply defaulting to third-party vendors because they possess decent cameras 
for your officers isn’t a reason to settle for expensive cloud storage, or a lack of options. The 
data should be stored indefinitely. This long-term storage facilitates later processing and 
reprocessing of the data against new analytics technologies. Both the visual signals and the 
audio signals are valuable sources of information for generating a complete understanding 
of a given situation (Corso, 2015). Furthermore, police agencies should ensure that they 


remain owners of this video footage produced from BWCs. 


Relevant Legislation 

Manufacturers of the cameras and data storage companies are developing solutions to 
reduce the cost of the cameras, but also the high costs of data management and retention 
(Taylor, 2017). Given the cost of data storage, several police departments abandoned their 
BWC programs when some state legislatures passed new laws requiring longer records 
retention schedules for BWC-generated data. Indiana’s House Bill 1019, enacted in 2016, 


required LEAs to store all BWC-generated videos for 190 days, but did not require agencies 


40 


Journal of Physical Security 15(1), 30-47 (2022) 


to use BWCs (General Assembly of the State of Indiana, 2016). Prior to passage of the law, 
storing videos for 30 days cost between $5,000 and $10,000 annually. Under the new law, it 
was estimated that costs would soar to between $50,000 and $100,000 annually. This is 


prohibitive for the department (Al-Jazeera, 2016). 


Due to the recent emergence of BWCs and their rapidly developing technology, LEAs and 
governments still are developing policies and statutes to regulate their use (Bowman, SLC, 
2017). One study conducted by the SLC Regional Resource examined policy issues 
associated with the acquisition and enforcement of use of BWC, including considerations 
for implement-tation such as data storage, staffing and privacy, and existing laws and 


policies that regulate their use in the 15 SLC member states (Bowman, 2017). 


Combatting Financial Constraints 

The U.S. Department of Justice in 2015 provided $20 million to support BWC adoption 
(U.S. Department of Justice, 2015), which led to aa rapid increase in their use. The 2017 
study also identified some police agencies who not only possess BWC programs, but were 
nevertheless funded by the U.S. Department of Justice. This funding provided a $500 million 
grant for BWC, including storage, which is the costliest aspect of a BWC program. These 
departments may not face serious budgetary concerns in the long-term as much as others 


who aren't grant funded (Leadership Conference, 2017). 


Approximately 27 police agencies from the 75 sampled were funded with the $500 
million grant by the U.S. Department of Justice. The following departments did indeed 
receive funding for BWC: Alameda County, Albuquerque, Austin, Baton Rouge, Broward 
County, Chicago, Cincinnati, Detroit, Fayetteville, Fort Lauderdale, Jacksonville, Las Vegas, 
Los Angeles, Los Angeles County, Miami, Miami-Dade, Minneapolis, New Orleans, Omaha, 
Phoenix, Raleigh, Rochester, San Antonio, San Francisco, Seattle, Tulsa, and Washington D.C. 


(Leadership Conference, 2017). 


41 


Journal of Physical Security 15(1), 30-47 (2022) 


Grant funding for agencies that implement BWCs may also assist in reducing long-term 
costs attributed to this type of program, including cloud storage and other regulatory 
requirements. Who are the grants from the Department of Justice being distributed to? Are 
grants approved for all police departments who submit a grant application, or only a select 


few? Each BWC program needs a fair amount of funding. 


Acquisition and Applicability 

Vetting is paramount for business services and acquisition. Vendors need to be 
universally screened. For instance, is the security and reliability of the cloud storage by a 
certain vendor too weak? Best practices need to be communicated to police departments 
and put into play. Furthermore, third parties cannot be allowed to upsell storage from 
clouds, with no oversight. Governmental standardization should exist where it is scaled 
properly for agencies at the local, state, and federal levels. Third parties need to make 


money but should not make a BWC program unsustainable. 


In my view, all BWC programs must have a security-driven policy in place. All policies 
need to address areas such as Footage Misuse, Access, and Retention. The 2017 LCCHR 
study revealed the number of police agencies that did author and maintain a BWC policy, 
yet their policy language for Misuse, Access, and Retention could be perceived as self- 
serving, and one-dimensional—only focusing on those who claim that a civil right may have 
been violated. This may show a lack vision and recognizing what could truly be at stake for 


all parties involved. 


Conclusion 

Whether one believes BWCs keep citizens and/or the police accountable, the main benefit 
of BWCs’ may be the self-awareness generated when an individual is being recorded and 
watched. This may deter wrongdoing or socially undesirable behavior because cameras 
may increase a person's perceived risk of detection (Ariel, Farrar, & Sutherland, 2015). In 


this age of big data, digital information once collected may be endlessly analyzed, sifted, 


42 


Journal of Physical Security 15(1), 30-47 (2022) 


and sorted for different purposes (Mayer-Schoenberger, 2013). The data captured by police 
body cameras will likewise be subject to the same analysis and reuse. To be sure, the 
recording alone raises concerns about surveillance, but those concerns turn on how the 
data itself is processed. Body camera policies must address not only concerns about 
surveillance, but also data control (Joh, 2016). The control of data, or lack thereof, could 


represent serious financial burdens for all parties. 


I believe that properly written and implemented policies by police agencies for body- 
worn cameras could be a major tool for reducing liability (financial, security, or public 
relations). Policies are often used as a model for policing. If police agencies could adapt 
more effective models for policy analysis, perhaps financial, security, and public relations 
concerns could be lessened. A heavily researched, multi-step process may be necessary for 


agencies to successfully apply for a BWC program integration grant. 


Acknowledgments 
I am indebted to the editor and anonymous reviewers for suggestions and editing advice 


to improve the paper. 


References 


Amina, Elahi (2015) “Motorola Solutions joins battle to supply police body cameras,” 


Chicago Tribune; As retrieved from http://www.chicagotribune.com/bluesky/originals/ct- 


motorola-solutions-body-camera-bsi-20151020-story.html 


Bakst, B, Foley, Ryan,.22.11 (2015) “For police body cameras, big costs loom in storage”; As 
retrieved from: https://www.policeone.com/police-products/body cameras /articles/ 


8243271-For-police-body-cameras-big-costs-loom-in-storage/ 


43 


Journal of Physical Security 15(1), 30-47 (2022) 


Bowman, N. (2017). Body-worn cameras: Laws and policies in the south. Southern 
Legislative Conference, Southern Office of The Council of State Governments. As retrieved 


from https://www.scribd.com/document/344852431/Body-Worn-Cameras-Laws-and- 


Policies-in-the-South#from embed 


Corso J. C., Alahi A., Grauman K., Hager G. D., Morency L., Sawhney H., & Sheikh Y. (2015). 
Video Analysis for Body-worn Cameras in Law Enforcement: A white paper prepared 


for the Computing Community Consortium committee of the Computing Research 


Association; As retrieved from: http://cra.org/ccc/resources/ccc-led-whitepapers/ 


Dye, T. (2013). Understanding Public Policy (4th ed.). Upper Saddle River, NJ: Pearson 


Farivar, Cyrus. “Taser stuns law enforcement world, offers free body cameras to all US 


police.” Ars Technica April 5, 2017. Retrieved from: https://www.arstechnica.com/tech- 


policy /2017/04/taser-announces-free-bodycameras-cloud-storage-to-all-us-cops-for-a- 


ear 


Harcourt, Bernard. (2015) “In Rahm Emanuel’s Chicago Surveillance State, Controlling 


the Data is Key.” The Intercept.December14, 2015. As retrieved from: https:// 


theintercept.com/2015 /12/14/in-rahm-emanuels-chicago-surveillance-state-controlling- 


the-data-is-key/ 
“House Enrolled Act No. 1019.” General Assembly of the State of Indiana, 2016, retrieved 
from https://iga.in.gov/staticdocuments/3/d/f/2/3df25085/HB1019.04.ENRS.pdf 


(accessed December 12, 2016). 


Joh, Elizabeth (2016). “The New Surveillance Discretion: Automated Suspicion, Big Data, 
and Policing.” Harvard L. & Policy Review, 10 (2016)15-42. 


44 


Journal of Physical Security 15(1), 30-47 (2022) 


Maciag, Mike. (2015). “Police aren’t the only public employees wearing body cameras.” 
Governing, June 10. Accessed February 7, 2016. As retrieved: http: //www.governing.com/ 


topics/public-justice-safety/gov-body-cameras-employees-expansion.html 


Marx, Gary. 2012. “Your Papers Please’: Personal and Professional Encounters With 
Surveillance”; International Handbook of Surveillance Studies, edited by Kirstie S. Ball, 


Kevin D. Haggerty, and David Lyon, xx-xxxi. New York: Routledge 


Mayer - Schonberger, V. and Kenneth Cukier. (2013). Big Data: A Revolution that Will 
Transform How We Live, Work, and Think. 


Merian, Lucas. (2015) “As police move to adopt body cams, storage costs set to 


skyrocket.” As retrieved from: http://www.computerworld.com /article/2979627 /cloud- 


storage /as-police-move-to-adopt-body-cams-storage-costs-set-to-skyrocket.html 


Miller, Lindsay, Jessica Toliver, and Police Executive Research Forum (2014); “Implementing 


a Body-Worn Camera Program: Recommendations and Lessons Learned.” 


Mittelman, W. (1991). Maslow's study of self-actualization: A reinterpretation. Journal of 


Humanistic Psychology, 31(1); pp. 114-135. 


Oakland Police Department. (2016). Departmental general order: Portable video 
management system. Oakland, CA: Interim Chief Sean Whent. As retrieved from http: // 


wwwz.oaklandnet.com /oakcal /groups/police/documents /webcontent/oak054254.pdf 


Reichert, Corinne (2019) “LAPD data breach exposes personal info of 2,500 officers, report 


says”; As retrieved from: https://www.cnet.com/tech/computing/lapd-data-breach- 


reveals-personal-info-of-2500-officers-report-says/ 


45 


Journal of Physical Security 15(1), 30-47 (2022) 


Ryan, Jacob. 2016. “Body Cameras Not Likely for Kentucky State Police.” WFPL.org. January 
19, 2016. As retrieved from: http://wfpl.org/lack-of-funding-means-body-cameras- 


unlikely-anytime-soon-for-kentucky-state-police/ 


Sanburn, Josh. (2016) “Storing Body Cam Data is the Next Big Challenge for Police,” 
Time. January25, 2016. As retrieved from: http://time.com/4180889 /police-body- 


cameras-vievu-taser/ 


Spangenthal-Lee, Jonah (2014) “Sign Up Now For the First-Ever Seattle Police Hackathon,” 
Seattle Crime News SPD Blotter, Dec. 5, 2014, http://spdblotterseattle.gov/2014/12/05/ 


sign-up-now-for-the-first-ever-seattle-police-hackathon/ 


Taylor, Harriet. (2017) “New gun cameras offer a ‘cops-eye’ view of policing,” CNBC, Jan. 11, 


2017, As retrieved from: http://www.cnbc.com/2017/01/11/gun-cameras-replace-body- 


cameras-police-departments.html 


The Leadership Conference on Civil and Human Rights. 2017. “Updated Scorecard and New 
Report Examine Local Police Body Camera Programs and Process.” Justice Reform News, 


Media & Tech News 11.14,17 As retrieved from: https://civilrights.org/2017/11/14/ 
updated-scorecard-new-report-examine-local-police-body-camera-programs-process/# 


“Two U.S. police departments drop body cameras over costs.” Al Jazeera. September 11, 


2016; As retrieved from: http://www.aljazeera.com/ news/2016/09/police-departments- 


drop-body-cameras-costs-160911075457471.html (accessed November 29, 2016). 


Urban Institute. (2016) “Police Body-Worn Cameras: Where Your State Stands.” February 


2016. As retrieved from: http://apps.urban.org/features/body-camera/ 


46 


Journal of Physical Security 15(1), 30-47 (2022) 


Vibes, John. (2017) “Seattle Police Hold Hacking Contest So They Can Learn How To Censor 
Body-Cam Footage,” The Free Thought Project, accessed March 7, 2017; As retrieved: 
http://all-len-all.com/seattle-police-hold-hacking-contest-so-they-canlearn-how-to- 


censor-body-cam-footage/ 


Yin, R.K. (2003). Case Study Research: Design and Methods. Sage. Thousand Oaks, 


California. 


47 


Journal of Physical Security 15(1), 48-52, (2022) 


The FDA and DHS Blessing of Security Technologies: 
Positive Contributions to Security or Security Theater?* 


Roger G. Johnston, Ph.D., CPP 
Right Brain Sekurity 
https: //rbsekurity.com 


Tamper-Evident Packaging & the Food and Drug Administration (FDA) 


Ever since the 1982 Chicago Tylenol murders, all over-the-counter (OTC) pharmaceuticals sold 
in the United States are required to have tamper-evident packaging.[1-4] The FDA must approve 
OTC drug packaging, including the tamper-evident design(s) and feature(s). 


The Code of Federal Regulations, 21 CFR 211.132, "Tamper-evident packaging requirements for 
over-the-counter (OTC) human drug products" states that [2] 


"\... (b) Requirements for tamper-evident package. (1) Each manufacturer and packer who pack- 
ages an OTC drug product (except a dermatological, dentifrice, insulin, or lozenge product) for 
retail sale shall package the product in a tamper-evident package, if this product is accessible to 
the public while held for sale. A tamper-evident package is one having one or more indicators or 
barriers to entry which, if breached or missing, can reasonably be expected to provide visible 
evidence to consumers that tampering has occurred. To reduce the likelihood of successful tam- 
pering and to increase the likelihood that consumers will discover if a product has been tam- 
pered with, the package is required to be distinctive by design or by the use of one or more indi- 
cators or barriers to entry that employ an identifying characteristic (e.g., a pattern, name, regis- 
tered trademark, logo, or picture). For purposes of this section, the term "distinctive by design" 
means the packaging cannot be duplicated with commonly available materials or through com- 
monly available processes. ..." 


It is not at all clear exactly how the FDA decides when particular OTC packaging has adequate 
tamper-detecting capabilities. It is not clear if ANY tamper-evident packaging ever gets rejected 
for technical or vulnerability reasons, as opposed to temporarily being rejected due to paperwork 
errors or incomplete data. If few or zero tamper designs are ever rejected, the FDA's blessing 
would seem to have little value. It is also not clear who at the FDA makes judgements about the 
efficacy of OTC tamper-evident designs, or what their qualifications are in terms of being experi- 
enced end users, or having expertise with vulnerability assessments or practice defeating tamper- 
indicating seals. 


Moreover, the federal specifications for OTC tamper-evident packaging [2-5] are vague and, in 
some Cases, questionable. For example, after experimenting with many different OTC tamper-in- 
dicating designs of various kinds available in stores, | am unaware of ANY that would meet the 


*This paper was not peer reviewed. 


48 


Journal of Physical Security 15(1), 48-52, (2022) 


requirement that they "... cannot be duplicated with commonly available materials or through 
commonly available processes..." in the last sentence of the 24 paragraph above.|[2] 


Some of the other problems I see with the federal specifications for OTC tamper-evident pack- 
aging include: 


(1) Nonsensically insisting on often calling it "tamper-resistant" packaging (or "barriers") [2-5] 
when, in fact, few or zero OTC products significantly resist tampering. [2-5] At best, they might 
have the potential to leave behind evidence of tampering. 


(2) Having requirements [3] for the tamper-detection capabilities of bubble & blister packs, 
heat-shrink bands, foil pouches, and container mouth inner seals that, at least in my experience, 
are rarely or never meet with existing OTC products. 


(3) Much (all?) of the tests on the packaging appear to be being done by the applicant for FDA 
approval, rather than the FDA itself. If this is the case for tamper-detection performance, what 
are the testing and assessment procedures that the applicants use, and what are their vulnerabili- 
ty assessment qualifications and experience? 


In September of 2018, I submitted a Freedom of Information Act (FOIA) Request [6] to the FDA 
to try to better understand the approval process. I sought information about how OTC tamper- 
evident packaging is tested and approved, and how many designs get rejected for technical or se- 
curity vulnerability reasons (not just incomplete paperwork or paperwork errors). I also re- 
quested specific information on capsule sealing and copies of petitions to request exemption from 
the federal tamper-evident rules for years 2015-2018, as well as whether the requested exception 
was granted or denied. 


Now government agencies receiving a FOIA Request are (by law) supposed to respond in 20 
days [7], though they do not need to produce all records in 20 days. This did not happen for my 
FDA FOIA request; this is reportedly quite common.[7] Also, FOIA Requests are supposed to re- 
ceive expedited treatment if health or safety are issues—definitely the case for product tamper- 
ing—or if there is an urgent public interest in the matter—arguably the case here.[7] My requests 
did not appear to receive any expedited treatment. 


More than 3 years and 2 months later, I did receive (without any substantive comment from the 
FDA) a single document. This was a copy of reference [5], which was already readily available on 
the Internet. This document is not responsive to my questions. 


To my mind, questions remain about whether the FDA approval of OTC tamper detection fea- 
tures is a useful process to help protect the public, or just rubber-stamp Security Theater. Cer- 
tainly the existing tamper-evident packaging on many (most?) OTC products can be readily 
spoofed using low-tech methods. 


49 


Journal of Physical Security 15(1), 48-52, (2022) 


Department of Homeland Security (DHS) Safety Act 


The U.S. Department of Homeland Security (DHS) approves security products, technologies, and 
services submitted for review under the " Support Anti-Terrorism by Fostering Effective Tech- 
nologies Act (SAFETY Act) of 2002".[8-10] “The purpose of the Act is to ensure that the threat of 
liability does not deter potential manufacturers or Sellers of Qualified Anti-Terrorism Technolo- 
gies from developing and commercializing technologies that could significantly reduce the risks 
or mitigate the effects of large-scale terrorist events.” [10] The “capability and effectiveness of the 
technology under review” is supposed to be evaluated by DHS.[11] 


In my experience, many companies use their acceptance for Safety Act "certification" as a mar- 
keting tool, implying that their product, technology, or service has been carefully studied and 
found to provide effective security—even for non-terrorism security applications! I am of the 
opinion as a vulnerability assessor that a number of products that have already received SAFETY 
Act certification seem to have serious vulnerability issues and that the effectiveness of the securi- 
ty they provide appears dubious, at least for counter-terrorism. 


With the SAFETY Act, it is even less clear than with the FDA how DHS decides what deserves 
approval or who exactly decides and their qualifications/experience. As with FDA, it is unclear if 
many or even any submissions ever get turned down due to security deficiencies, as opposed to 
errors and incompletions in the paperwork. (Indeed, DHS has complained about incomplete ap- 
plication paperwork.[11]) There are online lists of who has been approved under the Safety Act 
[11], but no list of who has been disapproved, or how even how many applications have been re- 
jected for reasons involving security efficacy or vulnerabilities. 


My concern with the SAFETY Acct is that, as with FDA, it can’t be much of an evaluation process 
if little or nothing gets rejected for substantive technical and security reasons, not just inadequate 
or incomplete paperwork. 


In September of 2018, I submitted a FOIA Request to DHS requesting documents providing the 
following information: 


1. The number or percent of all SAFETY Act applications that were ultimately rejected wholly 
or partially because they failed one or more of the following SAFETY ACT requirements for the 
proposed technology, service, or program: 

(a) demonstrated substantial utility and effectiveness 

(b) effectiveness for facilitating the defense against acts of terrorism 

(c) no evidence of substantial, unmitigated security vulnerabilities 

(d) Scientific studies were evaluated or conducted, and indicated a substantial reduction in 

risks of harm. 


2. The same information as in #1 above, except only for SAFETY Act applications involving securi- 
ty hardware, as opposed to (for example) software, services, techniques, or security programs. 


3. The same information in 1 and 2 above, except covering only SAFETY Act applications ap- 
proved in the calendar or fiscal year 2017. 


50 


Journal of Physical Security 15(1), 48-52, (2022) 


4. Information outlining the general procedures and level of effort for evaluating (a) through (d) 
above, as well as security vulnerabilities, and the required qualifications for individuals and orga- 
nizations doing so. 


As with FDA, DHS did not respond within the required 20 days. Like FDA, my FOIA Request in- 
volved health and safety issues and should by law have received expedited processing; it did not. 
I have yet to receive any documents from DHS related to my inquiry. 


It is difficult to know for sure, but lacking any strong evidence to the contrary, the SAFETY Act 
certainly seems to me likely to be mostly Security Theater. There may be some advantage for the 
country of shielding security manufacturers, vendors, and providers from severe legal liability in 
the event of terrorist attacks. Potentially granting such protection to deeply flawed security 
products, technologies, and services does not seem, however, to be a good thing, nor does the 
seemingly widely accepted notion that SAFETY Act certification equals good security in the ab- 
sence of any meaningful evidence. 


References 


1. H Markel, PBS, "How the Tylenol murders of 1982 changed the way we consume medication", 
https: //www.pbs.org/newshour/health /tylenol-murders-1982 


2. FDA, “CFR - Code of Federal Regulations Title 21“ https://www.accessdata.fda.gov/scripts 


cdrh/cfdocs/cfcfr/cfrsearch.cfm?fr=211.132 


3. FDA, "CPG Sec. 450.500 Tamper-Resistant Packaging Requirements for Certain Over-the- 
Counter Human Drug sages https: www.fda. ov/re ulator -information search- fda- 


Sateen ea ea 


4. FDA, "PG Sec. 450.550 Control and Accountability of Labeling Associated with Tamper-Resis- 
tant Packaging of Over-the-Counter Drug Products", 
https://www.fda.gov/regulatory-information/search-fda-guidance-documents/cpg-sec-450550- 


control-and-accountability-labeling-associated-tamper-resistant-packaging-over 


5. FDA, May 1999, “Guidance for Industry: Container Closure Systems for Packaging Human 
Drugs and Biologics”, https://www.fda.gov/media/70788/download 


6. FOIA.gov, https://www.foia.gov 


7. Digital Media Law, “Time Periods Under FOIA’, https://www.dmlp.org/legal-guide/time-peri- 
ods-under-foia 


8. DHS, “Science and Technology”, https://www.dhs.gov/science-and-technology/safety-act 


51 


Journal of Physical Security 15(1), 48-52, (2022) 


9. DHS, “Safety Act”, https://www.safetyact.gov 


10. DHS, “Safety Act Application Kit”, https://www:safetyact.gov/externalRes/refDoc/refGroup/ 
1/SAFETY%20Act%20Application%20Kit.pdf 


11. Homeland Security Science and Technology, “Safety Act”, https://www.safetyact.gov/lit/at/aa 


52 


Journal of Physical Security 15(1), 53-58 (2022) 


Viewpoint Paper 


Reducing Security Officer Turnover 


Michael A. Silva, CPP, CSC 
Silva Consultants 
www-ssilvaconsultants.com 


The Problem 


The rate of turnover in the contract security industry is legendary, with annual turnover rates 
averaging 200% or more at many client sites. High turnover results in increased costs for 
recruitment and training on an ongoing basis, and increases administrative expenses for both the 
client and the contract security company. 


More importantly, high rates of turnover decrease the overall effectiveness of the contract 
security force. It can take six months or more for security officers to become fully proficient at 
their duties, and having constant officer turnover means that there is a good chance that some or 
all officers on site during any given shift may be new and inexperienced. Inexperienced officers 
have less ability to detect unusual activity because of their unfamiliarity with the site, and are less 
able to make good decisions about what to do or not do. 


Constantly having new and inexperienced security officers on site also reinforces the negative 
perception that many people have of security officers and can prevent employees from taking 
them seriously. 


Isn't This The Security Company's Problem? 


Many clients feel that reducing security officer turnover is entirely the responsibility of the 
contract security company. While the contract security company certainly has an important role 
to play, they cannot do it alone. In fact, many of the steps necessary to improve security officer 
retention can only be done by the client company. Only by working together can the client and 
the contract security company get a handle on the turnover problem. 


It's The Low Pay, Right? 
The rate of pay that security officers receive in some parts of the country is ridiculously low, 
with some officers being paid at the minimum wage or just slightly above. In many areas, security 


officers are paid less than any other class of worker, including food service and janitorial 
employees. 


53 


Journal of Physical Security 15(1), 53-58 (2022) 
While improving the rate of officer pay is one important factor in reducing turnover, it is by no 
means the only factor. Security officers who are dissatisfied with their jobs often say that other 
issues are as important to them, or even more important to them, than the rate of pay that they 
receive. When examining these issues, most revolve around the conditions under which the 
security officer must work. 
Some of the issues of importance to security officers include: 
* Being treated with respect by employees at the site where they are assigned to work. 
* Receiving clear direction about what they are supposed to be doing. 
Having a professional work environment and properly functioning equipment. 
Being supported by management when they enforce an established policy or procedure. 
* Doing work that they feel is important and valued. 


Receiving acknowledgment when they are doing a good job. 


Having a realistic schedule that allows them to get enough rest between shifts and gives 
them enough hours of pay to live on. 


Having medical and retirement benefits. 


* Feeling that they are being listened to. 


As you can see, many things of importance to the security officer revolve around the way that 
they are treated rather than what they are paid. Many of the changes that can greatly improve 
working conditions for officers center around improving they way that they are managed, and can 
be implemented at little of no additional cost. 


Things That Can Improve Working Conditions for Security Officers 


The following are some suggested changes for improving security officer working conditions at 
your site: 


Treat Security Officers with Respect 


Security officers are treated as second-class citizens at many sites, and often are insulted or 
ignored by the company's regular employees. Senior management at the client company should 
set the tone for treating security officers with respect and make it clear that abuse of security 
officers will not be tolerated. 


54 


Journal of Physical Security 15(1), 53-58 (2022) 


Get To Know Your Officers 

Client company employees, especially at the management level, should make a point to 
introduce themselves to the security officers and if possible, try and remember their names. 
Something as simple as saying "hello" to a person by name can go a long way in improving 
working conditions for a security officer. 


The person responsible for security at the client company should attempt to personally 
welcome new security officers to the job when they are first assigned to the site. This should be 
done for every new officer, including those that work at night and on weekends. 


Provide Security Officers with Clear Direction 


Security officers should be provided with clear written instructions that describe their job 
responsibilities and the policies and procedures that they must follow. Adequate training should 
be provided to officers and this training should be consistent with the written instructions. All 
verbal directions given to officers should be consistent with the written instructions. Security 
officers should never be asked by employees of the client company to deviate from written 
procedures without the request going through the proper channels. 


Stand Behind Security Officers When They Do the Right Thing 


Security officers should receive the full backing of the client company's leadership team when 
the officer follows established procedures, even if this offends a client company employee. For 
example, if procedures require that all visitors to a facility sign-in, the officer should not be 
reprimanded when he insists that the company president's wife also follow this procedure. 


Having written instructions that are constantly being overridden by a set of "unwritten rules" is 
a surefire way to frustrate even the best security officer and should be avoided at all costs. If 
there is a legitimate reason to have an exception to a rule, it should be clearly documented in the 
security officer's written instructions. 


Acknowledge Excellent Performance 
Security officers who do an excellent job should be immediately acknowledged. For example, if 


an officer spots a water leak in the computer room and reports it before it can cause damage, he 
should receive an acknowledgment of this from a member of the client company's senior 
management team. A simple written note costs little to send, yet can mean a great deal to the 
individual security officer receiving it. 


You should also consider adopting a "Security Officer of the Month" program where officers 
who perform above and beyond the call of duty can be officially recognized. Officers who win this 
award should be given a certificate and some type of small gift (such as a gift card for a local 
restaurant.) 


Provide a Professional Working Environment 
Many security offices and guardhouses are cramped, cluttered places that don't appear to have 


been cleaned in years. Patrol vehicles issued to officers are often beaten up wrecks that don't run 
dependably. Flashlights, two-way radios, and other equipment issued to security officers is often 
in poor condition and is unreliable. 


55 


Journal of Physical Security 15(1), 53-58 (2022) 


Security officers perform best when they are given a professional working environment that 
includes professional-grade tools and equipment. In order to get an officer to act asa 
professional, you must first treat him or her as one. 


While security offices and guardhouses don't have to be built like the Taj Mahal, they should be 
clean, adequately-sized, and provide a professional working environment for your security 
officers. Security workspaces should be serviced by your janitorial staff and cleaned regularly 
just like any other workspace in the company. 


The tools and equipment used by your security officers should be up-to-date and in good 
working condition. The costs of routinely repairing and replacing equipment should be included 
in your annual security budget. 


Encourage Open Lines of Communication With Security Officers 


The security officers at each site should meet as a group at least twice per year. Officers should 
be paid to attend these meetings to encourage full participation. The primary purpose of these 
meetings is to provide updates to officers on security procedures for the site and to give officers 
an opportunity to air their grievances and express their ideas and opinions. 


The person responsible for security at the client company should regularly attend security 
officer meetings so that he or she can directly hear security officer opinions without them being 
filtered through the contract security company's site supervisor or branch manager. 


Educate Security Officers About Your Business 
Efforts should be made to educate security officers on the client company's business: what it 


does, who it serves, what types of operations are involved, etc. This information should be 
included in the initial training curriculum for each officer, and reinforced through ongoing 
continuing educational activities. 


Managers from various departments at the client company should be asked to periodically 
attend security officer meetings and provide a brief presentation explaining to the officers what 
their business unit does. 


Create Realistic Schedules 

Creating a schedule that meets the security needs of a business at a reasonable cost can be 
challenging, but responsibility for solving scheduling problems should not be placed on the backs 
of individual security officers. Asking a security officer to drive all the way across town to cover a 
two-hour shift, or asking an officer that got off duty at 2:00 AM to report back at 8:00 AM the 
same day, is unrealistic and inconsiderate to the needs of the security officer. 


I recommend that officers not work more than 12 consecutive hours in any 24-hour period, 


and for not more than 60 hours in any seven-day period. Off-duty periods should be scheduled 
to provide for an uninterrupted eight-hour sleep cycle. 


56 


Journal of Physical Security 15(1), 53-58 (2022) 


Officers should receive a minimum of four hours of pay anytime that they are called in. 
Schedules should be balanced so that all officers receive an adequate number of hours to live on. 
Attempts should be made to accommodate any special scheduling requests of individual officers 
when it can be done so without impacting the business. 


Make Company "Perks" Available to Security Officers 


Many client companies offer a range of perquisites to their employees, including things such as 
free parking, health and fitness clubs, cafeterias, and company stores. In most cases, these 
company "perks" are for company employees only, and are off limits to the employees of 
contractors, such as contract security officers. 


I suggest that the client company rethink this policy, and consider offering at least some perks 
to security officers for free or at a reduced cost. The financial impact of doing this can be minimal 
to the company, while adding a few benefits will be appreciated by the security officers and can 
greatly change their perception of their job. 


Security Officer Pay 


Quality contract security officers prefer to work at the sites that offer the best pay and the best 
working conditions. Once assigned to such a site, officers want to stay there, and generally 
perform at a high level so that they can maintain their position. The result: much lower officer 
turnover and better quality officers. 


Trying to cut corners on officer pay can be false economy. Paying the absolute lowest rate may 
appear to reduce costs, but in actuality costs more because of increased administrative and 
training expenses. 


Often paying only one or two dollars per hour above the median market rates can attract the 
best quality officers and greatly reduce officer turnover. Increasing the rate of officer pay by a 
dollar or two usually only increases the total annual cost of providing security services by 10% to 
20%. In my opinion, this is a small price to pay for improved security officer performance. 


It is recommended that clients conduct a survey of the rates that security officers are being paid 
in their community. Information on pay rates can be obtained by talking with your peers at other 
facilities, and by looking at recruiting postings on job boards and on services such as Craigslist. 


Once rates of pay in your community have been established, create a chart that allows you to 
see how the rates that your company is paying compares to that being paid at other sites. If the 
rate that you are paying is significantly below that being paid at other sites, this is something that 
should be further evaluated. The value of any benefits provided should be included in your pay 
rate evaluation. Many people working as security officers greatly value things such as medical 
benefits, and may be happy working for a lower rate of pay at a site that provides such benefits. 


57 


Journal of Physical Security 15(1), 53-58 (2022) 


About the Author 


Michael A Silva, CPP, CSC is an independent security consultant who has been practicing since 
1985. He has served a wide variety of clients in industries such as healthcare, R&D, biotech- 
nology, manufacturing, insurance & financial services, warehousing & distribution, and 
multifamily housing. 


58 


Journal of Physical Security 15(1), 59-66, (2022) 


Viewpoint Paper 


In Risu Veritas* 


Roger G. Johnston, Ph.D., CPP 
Right Brain Sekurity 
https://rbsekurity.com 


The people who fear humor, and they are many, are suspicious of its power to present 
things in unexpected lights, to question received opinions, and to suggest unforeseen 
possibilities. 

-- Robertson Davies (1913-1995) 


Introduction 


Humor is a lot more than just telling jokes. It can be a powerful tool in security. Humor can 
be used to entertain and refocus attention during lengthily meetings, presentations, and training. 
It can place a strong emphasis on important points and make them memorable. Appropriate hu- 
mor can help engender a sense of fun, purpose, community, and connection among employees. It 
can sometimes reduce tension and put people at ease. Self-deprecating humor by supervisors 
and managers may make authority figures seem more approachable, modest, and likable. 


Humor can also be used as a persuasive tool to pointedly criticize organizations and conven- 
tional security approaches. It often makes us think, provides thought triggers, and get us out of 
our metal rut, allowing us to think more proactively, critically, and creatively about security. Per- 
haps most importantly, humor is an excellent anecdote for security complacency, arrogance, iner- 
tia, failure to be proactive, and problems with cognitive dissonance that so often plague security 
programs and organizations. 


Evidence that humor can perform all of these functions in general—though not specifically in 
the realm of security—can be found in, for example, references [1-5] and the following quote: 


A sense of humor is part of the art of leadership, of getting along with people, of getting things done. 


-- Dwight D. Eisenhower (1890-1969) 


Theories of Humor 


There have long been competing theories of humor [6-8] but none seem to fully capture the 
nature of humor. Early philosophers thought that the primary motivator for humor is pleasure at 
the pain or foibles of others, which is what I call the “Schadenfreude Model” but others 


* Latin for “there is truth in humor.” This paper was not peer reviewed. 


59 


Journal of Physical Security 15(1), 59-66, (2022) 


sometimes call the “Superiority Model”. The “Tension and Release Model” of humor is the basis 
for a lot of TV situation comedies—create a funny situation and resolve it in whimsical ways. The 
more modern “Incongruity Theory” maintains that “... humor results when our brains perceive 
two things as coexisting in a manner that does not at first appear to make logical sense and that 
laughter or humor occurs when the discomfort caused by this incongruity is resolved in some 
way”. Another theory is the “Benign Violation Theory”, which is about being amused or gratified 
at witnessing non-threatening violations of conventions or authority. 


At least for me, it seems that most humor occurs for one or more of these reasons: 

1. being presented with absurdities that tickle our fancy; 

2. getting amusement from being surprised, including by learning that our preconceived 
notions of the situation were wrong; 

3. obtaining pleasure at the release of tension between two ideas or situations that 
initially seemed contradictory; 

4. having admiration for the wit of the anecdote or observation, and/or its teller; 

5. being pleased with ourselves for uncovering some double meaning or a hidden dig. 


Types of Humor 


Experts on humor cannot agree on exactly how many kinds of humor there are. Many say there 
are 4 or 5 kinds [1 ,6, 9- 11], such as: 


e Affiliative: Using humor to make others like us. 

e Self-Enhancing: Using humor for coping, to laugh at ourselves, and to make us feel better. 
e Aggressive: Satire, parody, ridicule, mockery, humorous imitation. 

e Self-Deprecating: Humor at our own expense to get others to like us. 


OR 


e Subverting: Humor that surprises us or subverts out expectations. Think “Why did the 
chicken cross the road?” 
¢ Double Entendre: Humor that involves something that means two things at the same time. 
Often sexual in nature but this is not a requirement. 

e Disparaging: Making fun of someone, something, or an organization through satire, parody, 
spoofing, mockery, ridicule, or exaggerated imitation/caricature. 

e Slapstick: Physical humor. Think pie in the face or slipping on a banana peel. 

¢ Countersignaling: Mixed messages such as saying disparaging things to your friend in jest, 

when it is socially acceptable due to your close connections. 


Nichol [10] and Tyagi [11] have identified many more kinds of humor (20 and 45, respectively), 
though I suspect there are still some missing. These might include (1) accurately quoting stupid 
statements (or showing accurate embarrassing photos) as a kind of mockery, and (2) invoking 
familiar and endearing character flaws in well-known characters. This is sometimes called “Me- 
chanical Humor” and often used in TV situation comedies. 


60 


Journal of Physical Security 15(1), 59-66, (2022) 


My Experience with Security Humor 


Much of the humor use for security does not initially seem to be about security, but actually is. 
I have found that people can better absorb and remember the intended idea(s) by having to work 
out for themselves why a given funny statement is relevant for security. 


The types of humor I have used in the past for security (to apparently good effect) include the 
following: 


1. Silly, absurd, or incongruous jokes or quotes for an audience for purposes of entertainment, 
to wake people up during a long or complex presentation, or to make a personal connection with 
members of the audience. Examples: 


Q: Who did King Arthur leave in charge of security? 
A: Sir Veillance 


Bumper Sticker: I’m not afraid of Terrorists... have teenagers. 


“Ich bin ein Berliner.” [I am a jelly donut.] 
-- John F. Kennedy (1917-1963), addressing the citizens of Berlin in front of the Berlin Wall in 1963 


I dream of a better tomorrow, where chickens can cross the road and not be questioned about their motives. 
-- Ralph Waldo Emerson (1803-1882) 

Actual courtroom testimony: 

Attorney: Are you sexually active? 

Witness: No, I just lie there. 


A man parks his car near a government building. A security guard comes running up and says, “You can’t 
park here! There are many important politicians and VIPs who work here and often pass through this 
area. The driver says, “Oh, there’s no need to worry. I locked the doors.” 


2. Self-Deprecating humor. This is useful to connect with employees or an audience, and can be 
used to emphasize security mistakes that I have made in the past that I would like others to avoid. 
Some examples: 


I often work as a security consultant. You know the definition of a consultant? consultant: (1) Someone 
who charges too much to spew out platitudes, vacuous suggestions, and common sense. (2) A person who 
couldn't hold down a real job. 


Thank you for the opportunity to talk to you today about how to do better vulnerability assessments. Hope- 
fully these ideas will be useful, or at least thought-provoking. I can’t, however, claim to have all the 
answers...I left some of them in the pocket of my other pants. 


Many security devices have mechanical tamper switches. In my experience, these are almost always easy to 
defeat and do not represent serious security. There is, for example, a mechanical tamper switch on my 
refrigerator. When the door opens, a light comes on—presumably to scare away the intruder. But it doesn’t 
seem to work with me. [Patting my ample belly.] 


61 


Journal of Physical Security 15(1), 59-66, (2022) 


3. Jokes to emphasize a security point and make it more memorable. This is often a good way to 
introduce or conclude a detailed discussion about vulnerabilities, risk assessment, attack scenar- 
ios, countermeasures, Security Culture, or insider threat mitigation. For example, jokes with non- 
overt implications for security metrics and the Fallacy of Precision include: 


A friend of mine recently got married. She says her new husband is 1 ina million. Personally, I think she 
should have held out for at least an 8 out of 10. 


I don’t understand ballet. The ballerinas spend much of the time dancing on their toes. Seems like it would 
make a lot more sense just to hire taller dancers. 


Q: How many people work here? 
A: About half. 


A businessman found himself in a large city with a few hours to kill during one of his trips, so he decided to 
go downtown to visit the Natural History Museum. There in the main atrium was a huge dinosaur skeleton. 
After staring at this impressive creature for a while, he decided to strike up a conversation with a nearby 
security guard. “How old do you think that thing is?” the man asked. “Well, sir, that dinosaur is 66 million 
and 23 years old,” said the guard. “66 million and 23!” exclaimed the businessman, “How do you know 
that?” “Well,” said the guard, “when I first started working here 23 years ago, they told me it was 66 million 
years old.” 


4. Subversive humor to criticize/ridicule certain management or security practices, mistakes, or 
a flawed Security Culture, often without explicitly identifying the target organization(s). Individ- 
uals are not usually the target. 


A Dell technician received a call from a customer who was enraged because his computer had told him he 
was “bad and an invalid”. 


Is itignorance or apathy? Hey, I don’t know and I don’t care. 
-- Jimmy Buffet 


A conference is a gathering of important people who singly can do nothing, but together can 
decide that nothing can be done. 
-- Fred Allen (1894-1956) 


The great thing about standards is that there are so many to choose from. 
-- old engineering joke 


I've been watching a lot of game shows, and I've observed that the people with the answers come and go, but 
the man with the questions has a permanent job. 
-- Gracie Allen (1895? - 1964) 


5. Accurately quoting stupid statements (or showing accurate, embarrassing photos of bad man- 
agement, poor security, or Security Theater) as a form of criticism and ridicule to try to prevent 
such practices from being repeated by others, or to encourage more critical thinking. Here are 
some examples, but many more can be found in reference [12]: 


62 


Journal of Physical Security 15(1), 59-66, (2022) 


I don’t have the first clue who he is talking about because all I worry about is Jerome. 
-- Basketball player Jerome James, responding to criticism from his coach that he was selfish 


We know that communication is a problem, but the company is not going to discuss it with the employees. 
-- Infamous AT&T memo 


How long is this Beta guy going to keep testing our stuff?" 
-- Actual inquiry from a senior manager 
Actual courtroom testimony: 
Lawyer: What about the research? 
Witness: | don’t think there is any research on that. There’s a logical hunch that may be true, but I know of 
no research study that would support that. 
Lawyer: What about common sense? 
Witness: Well, I’m not here using common sense. I’m here as an expert. 


6. Witty, memorable quotes to succinctly summarize a point. Below are some examples | have 
used but more can be found in reference [12]. 


The problem with common sense is that it is not all that common. 
-- Voltaire (1694-1778) 


Sincerity is everything. If you can fake that, you’ve got it made. 
-- George Burns (1885-1996) 


When everybody is thinking alike, then nobody is thinking. 
-- General George S. Patton (1885-1945). 


Inspector Jacques Clouseau: The good cop/bad cop routine is working perfectly. 
Ponton: You know, usually two different cops do that. 
-- From the movie, The Pink Panther (2006) 


7. Security Maxims. These are generalized truisms about security that are often satirical, tongue- 
in-cheek, or hyperbole but that make very important points about security. Here are some exam- 
ples, but 200+ more can be found in the appendix of reference [13]. 


You Must Be High Maxim 1: Any security product that is labeled “high security” isn't. 


Hi Mom! Maxim: When officials release a photo or video recording of a crime, asking if the public recog- 
nizes the perpetrator(s), the image quality will be so poor that you couldn’t recognize your own mother. 


Thinking Outside the Bun Maxim: Any security manager who cannot think of a new place to have lunch 
oversees a poor security program. 


Cowboy Maxim: You can lead a jackass to security, but you can't make him think. 


Fool-On-Fool Maxim: The incompetence of any security program is proportional to the degree of obsession 
with the idea that the major threat is a small band of stupid, unprepared adversaries who mindlessly attack 
straight on, using force and zero insiders. Comment: Somehow, the number of envisioned attackers is 
always less than the number the security program can purportedly neutralize. 


Oh, the Lovely Colors! Maxim: High-level corporate executives will be convinced the organization has good 
63 


Journal of Physical Security 15(1), 59-66, (2022) 


security if they are shown lots of detailed, colorful graphs, spreadsheets, and charts about security 
meetings and training. 


8. Satirical, cynical, ironic, smart-ass, and/or fanciful “definitions” of security terms to emphasize 
common problems with security. Here are some examples, but hundreds more can be found in 
reference [14]. 


best practice: Those guys don’t know what the hell they are doing either, but at least they seem confident. 


zero-day attack: The time origin for the start of anew malware attack, designated as "zero-day" because we 
haven't actually thought about security prior to this time. 


product anti-counterfeiting tag: Something a manufacturer or product counterfeiter places on a product 
to make the customer think it is authentic. 


blue team: The group of security professionals who feel sad about how easily the red team’s mock attacks 
defeat our security. 


business continuity plan: Making sure that, after a catastrophe, senior executives still get paid. 


critical infrastructure: The rundown buildings and facilities we are supposed to be protecting, called 
“critical” for the same reason as a very sick person in the hospital. 


decipher: Turning gibberish ciphertext into gibberish plaintext. 


due diligence: Doing the minimum we can get away with and still avoid major jury awards. 


9. Jolt Humor. This is unexpected or incongruous humor that may help people get out of their 
mental ruts and think differently and more creatively. Examples: 


I'd say, "It's a Buttmaster, Your Holiness." 

-- Suzanne Somers on how she would respond if the Pope asked her the name of the exercise machine she 
promotes 

When I was a child, I wanted to be a nuclear engineer, but it turns out they don’t let children do that. 


Sign outside a card shop: “I Love You Only” Valentine’s Day cards. Now available in multi-packs! 


Warning label found on aCD player: “Do not use the UltraDisc 2000 as a projectile in a catapult.” 


A complete ripoff of Jaws. 
-- One-star review on Amazon.com of Herman Melville’s classic 1851 novel, Moby Dick 


This carbon monoxide detector saved my son’s life. I give it 4 out of 5 stars. 
-- Actual Amazon.com review 


Our enemies are innovative and resourceful, and so are we. They never stop thinking about new ways to 
harm our country and our people, and neither do we. 
-- George W. Bush 


From a home advice column in the Columbus (Ohio) Citizen: 


Q: What does the threat count printed on the label of bed sheets and pillow cases indicate? 
A: The massacre of Fort Mickinac in 1763 by Chief Pontiac of the Ottawas. 


Apparently, “we were promised an open bar” is not the objection the minister was looking for. 


64 


Journal of Physical Security 15(1), 59-66, (2022) 


Conclusion 


Appropriate humor has many potential benefits for security. As the actor Peter Ustinov 
(1921-2004) put it, “Comedy is simply a funny way of being serious.” 


References 


1. T Hack, “Humor as a Cognitive Dissonance Reduction Strategy: A Focus on Speakers”, https: // 


www.academia.edu/3507872/Humor as a Cognitive Dissonance Reduction Strategy A Fo- 
cus on Speakers 


Dn M Gips, ’ ‘Humor i in Leadership? Funny you should ask”, Security, May 3, 2021, https://www.se- 
: leadership-f 


3. KL Hobden and JM Olson, “From Jest to Antipathy: Disparagement Humor as a Source of 
Dissonance-Motivated Attitude Change”, Basic and Applied Social Psychology 15(3), 239-249 


(1994), https://www.tandfonline.com/doi/abs/10.1207/s15324834basp1503 2 


4. CA Kramer, Subversive Humor, Ph. D. thesis, sect nn phivetsily, May 20s https: L/ 
; =1424& 


5. CA Kramer, “Subversive Humor as Art and the Art of Subversive Humor”, 
https: hilarchive.org /archive /KRASHA-2 


6. W Fenza, “The Unified Theory of Humor”, May 6, 2014, https://livingwithinreason.com/ 
2014/05/06/the-unified-theory-of-humor/ 


7. A Libera, “The Science of Comedy (Sort of)”, AMA Journal of Ethics 22(7), E602-E607 (2020), 
https: //journalofethics.ama-assn.org/article/science-comedy-sort/2020-07 


8. NS Rastogi, “5 Leading Theories for Why We Laugh—and the Jokes That Prove Them Wrong”, 
Slate, May 13, 2011, cues //slate. comculure sa Loaf. -leading-theories-for-why-we-laugh- 
-the-jokes-th 


fivesuch%20hypotheses%20%E2%80%94%20plus%20the,Austin%20Powers%E2%80%99%2 
Osingle-mindedsex-drive.%20...%205%20The%20Release%20Theory 


9. “Which of the 4 Senses of Humor do you Have?”, https://www.youtube.com/watch?v=9X8k- 
S70r92M 


10. M Nichol, “20 Types and Forms of Humor’, DailyWritingTips, https:// 
www.dailywritingtips.com/20-types-and-forms-of-humor/ 
#:~:text=Blue%3A%20Also%20called%20off- 


65 


Journal of Physical Security 15(1), 59-66, (2022) 


color%2C%20or%20risque%20%28from%20the,to%20ordinances%20restricting%20certain% 
20behavior%200n%20the%20Sabbath%29. 


11. S Tyagi, “45 Types of Humor with Examples”, https://humornama.com/featured/education 


types-of-humor/ 


12. RG Johnston, Security Sound Bites: Important Ideas About Security From Smart-Ass, Dumb-Ass, 
and Kick-Ass Quotations, https://www.amazon.com/dp/1460987381 


13. RG Johnston, Vulnerability Assessment: The Missing Manual for the Missing Link, https:// 
www.amazon.com/dp/B08C9D73Z9 


14. RG Johnston, Devil’s Dictionary of Security Terms, https://www.amazon.com/dp/ 
BO8CP92PCC 


66 


